CN112714124A - Cross-network and cross-border based data access security authentication method and system - Google Patents

Cross-network and cross-border based data access security authentication method and system Download PDF

Info

Publication number
CN112714124A
CN112714124A CN202011578809.4A CN202011578809A CN112714124A CN 112714124 A CN112714124 A CN 112714124A CN 202011578809 A CN202011578809 A CN 202011578809A CN 112714124 A CN112714124 A CN 112714124A
Authority
CN
China
Prior art keywords
data
cross
access
identity
legal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011578809.4A
Other languages
Chinese (zh)
Other versions
CN112714124B (en
Inventor
倪时龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gemean Beijing Information Technology Co ltd
Original Assignee
Gemean Beijing Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemean Beijing Information Technology Co ltd filed Critical Gemean Beijing Information Technology Co ltd
Priority to CN202011578809.4A priority Critical patent/CN112714124B/en
Publication of CN112714124A publication Critical patent/CN112714124A/en
Application granted granted Critical
Publication of CN112714124B publication Critical patent/CN112714124B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of security, in particular to a data access security authentication method and system based on cross-network and cross-border. A data access security authentication method based on cross-network and cross-border comprises the following steps: responding to a system access instruction, and judging whether the equipment to be accessed is legal or not; if the equipment to be accessed is legal, authenticating the identity of the access system; if the identity of the access system is legal, authenticating the data package to be transmitted according to a preset naming rule; if the data package to be transmitted passes the authentication, verifying the data in the data package to be transmitted according to a preset data verification rule; and if the data in the data package to be transmitted is legal, sending the data package to be transmitted. Through the multi-layer authentication, the reliability of the access service system and the safety of data transmission are ensured, and the reliability and the robustness of the system in the cross-network and cross-border application scene are further improved.

Description

Cross-network and cross-border based data access security authentication method and system
Technical Field
The invention relates to the technical field of security, in particular to a data access security authentication method and system based on cross-network and cross-border.
Background
With the development of internationalization, more and more enterprises are equipped with branch companies abroad, and files are often required to be transmitted during the office process of the enterprises, if the existing communication software is directly used, such as: the transmission of the QQ, the WeChat and the like has a great safety risk, so in the prior art, a specific device is used to encrypt a file to be sent and then transmit the encrypted file, but there is still a problem that some malicious data may be uploaded and accessed without authenticating the file uploaded to the specific device, which brings a risk to the safety of the whole system.
Disclosure of Invention
Therefore, a cross-network and cross-border based data access security authentication method needs to be provided to solve the technical problem that the risk exists when files are uploaded to specific equipment and the risk is brought to the whole system. The specific technical scheme is as follows:
a data access security authentication method based on cross-network and cross-border comprises the following steps:
responding to a system access instruction, and judging whether the equipment to be accessed is legal or not;
if the equipment to be accessed is legal, authenticating the identity of the access system;
if the identity of the access system is legal, authenticating the data package to be transmitted according to a preset naming rule;
if the data package to be transmitted passes the authentication, verifying the data in the data package to be transmitted according to a preset data verification rule;
and if the data in the data package to be transmitted is legal, sending the data package to be transmitted.
Further, the "authenticating the identity of the access system" specifically includes the following steps:
and authenticating the identity of the access user, and if the identity authentication is passed, further judging whether the access user has the corresponding operation authority.
Further, the "authenticating the identity of the access system" specifically includes the following steps:
and responding to the login instruction of the system administrator, authenticating the identity of the system administrator, and executing the operation instruction of the system administrator if the identity authentication is passed.
Further, before the step of determining whether the device to be accessed is legal, the method further comprises the following steps:
registering legal access equipment to corresponding central equipment;
the method for judging whether the equipment to be accessed is legal specifically comprises the following steps:
and judging whether the equipment to be accessed is in a registration list of the central equipment.
Further, the "preset naming rule" is: the data package name includes one or more of: organization mechanism coding, business system coding, directory coding, structured identification coding, hierarchical classification identification and current time;
the structured file name includes one or more of: business system coding, directory rule coding, structured identification coding and current time.
Further, the "sending the data package to be transmitted" specifically includes the steps of:
responding to a data package sending instruction, and selecting a master key according to the ID of the receiving end equipment;
generating a working key;
reading file data in a data package, and encrypting the file data plaintext through the working key to obtain a file data ciphertext;
calculating a plain text hash value of the file data;
encrypting the working key by using the master key to obtain a working key ciphertext, and calculating working key information to obtain a message authentication code;
sending the work key ciphertext, the file data ciphertext, the message authentication code and a data plaintext hash value to a central server;
the receiving end obtains the work key ciphertext, the file data ciphertext, the message authentication code and a data plaintext hash value from the central server, selects a master key according to the ID of the sending end equipment, and uses the master key to decrypt the work key ciphertext;
verifying whether the message authentication code is correct, if so, decrypting the file data ciphertext through the working key to obtain a file data plaintext to be confirmed, and calculating a plaintext hash value of the file data to be confirmed;
and judging whether the hash value of the file data to be confirmed is consistent with the hash value of the data plaintext, if so, successfully decrypting.
In order to solve the technical problems, the data access security authentication system based on cross-network and cross-border is further provided, and the specific technical scheme is as follows:
a data access security authentication system based on cross-network and cross-border comprises: a sending terminal and a central server;
the central server is used for: responding to a system access instruction, and judging whether the equipment to be accessed is legal or not;
the sending end is used for: if the equipment to be accessed is legal, authenticating the identity of the access system;
the sending end is further configured to: if the identity of the access system is legal, authenticating the data package to be transmitted according to a preset naming rule;
the central server is further configured to: and if the data package to be transmitted passes the authentication, verifying the data in the data package to be transmitted according to a preset data verification rule.
Further, the sending end is further configured to: and authenticating the identity of the access user, and if the identity authentication is passed, further judging whether the access user has the corresponding operation authority.
Further, the sending end is further configured to: and responding to the login instruction of the system administrator, authenticating the identity of the system administrator, and executing the operation instruction of the system administrator if the identity authentication is passed.
Further, the "preset naming rule" is: the data package name includes one or more of: organization mechanism coding, business system coding, directory coding, structured identification coding, hierarchical classification identification and current time;
the structured file name includes one or more of: business system coding, directory rule coding, structured identification coding and current time.
The invention has the beneficial effects that: responding to a system access instruction, and judging whether the equipment to be accessed is legal or not; if the equipment to be accessed is legal, authenticating the identity of the access system; if the identity of the access system is legal, authenticating the data package to be transmitted according to a preset naming rule; if the data package to be transmitted passes the authentication, verifying the data in the data package to be transmitted according to a preset data verification rule; and if the data in the data package to be transmitted is legal, sending the data package to be transmitted. Through the multi-layer authentication, the reliability of the access service system and the safety of data transmission are ensured, and the reliability and the robustness of the system in the cross-network and cross-border application scene are further improved.
Drawings
Fig. 1 is a flowchart of a data access security authentication method based on cross-network and cross-border according to an embodiment;
FIG. 2 is a diagram illustrating a verification code in a structured XML format according to an embodiment;
FIG. 3 is a schematic diagram of a structured JSON format validation in accordance with an embodiment;
fig. 4 is a schematic flow chart of sending the data package to be transmitted according to the specific embodiment;
fig. 5 is a schematic diagram illustrating module connections of a data access security authentication system based on cross-network and cross-border according to an embodiment.
Description of reference numerals:
500. a cross-network and cross-border based data access security authentication system,
501. at the transmitting end, the receiving end,
502. a central server.
Detailed Description
To explain technical contents, structural features, and objects and effects of the technical solutions in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
Referring to fig. 1 to 4, in the present embodiment, a data access security authentication method based on cross-network and cross-border can be applied to a data access security authentication system based on cross-network and cross-border, and the specific application scenario is as follows: the sending end equipment and the receiving end equipment are respectively arranged in different national boundaries and networks, for example: the device A is in China, the device B is abroad, when the device A is used as a sending end, the device B is used as a receiving end, and the device A and the device B perform data transmission through a central server. How to ensure the security of the system accessing the central server and the security of the uploaded data is the key solution of the present application.
The core technical idea of the application is as follows: through multi-layer authentication, specifically: the method comprises the following steps of authenticating equipment to be accessed, authenticating the identity of an access system, authenticating a data package to be transmitted and authenticating the legality of data in the data package to be transmitted, so that the reliability of an access service system and the safety of transmission data are ensured, and the reliability and the robustness of the system under a cross-network and cross-border application scene are improved. The method comprises the following specific steps:
step S101: responding to the system access instruction. The method specifically comprises the following steps: and operating on the interface of the sending end, and accessing to the central equipment. Step S102: is the device to be accessed legitimate? The central equipment judges whether the equipment to be accessed is legal or not. Before step S102, the method further includes the steps of: and registering the legal access equipment to the corresponding central equipment. The method specifically comprises the following steps: when the equipment is installed and deployed, two cross-network port networks are accessed, and the IP of the equipment to be accessed and the IP of the connection center equipment need to be configured under the condition of ensuring the smooth network; and (3) configuring connectivity with a central network, testing the network intercommunication condition between the equipment, and registering legal equipment to be accessed to the corresponding central equipment, so that the equipment interconnection and intercommunication can be realized. Therefore, whether the equipment to be accessed is legal or not can be judged by judging whether the equipment to be accessed is in the registration list of the central equipment or not. The information stored in the registration list may be information that uniquely identifies the device to be accessed, such as a MAC address corresponding to each device to be accessed.
After the access device is legal, step S103 is executed: is the identity of the access system authenticated, is authentication passed? Step S103 specifically involves two kinds of authentication, which may specifically be as follows:
the first method comprises the following steps: and authenticating the identity of the access user, and if the identity authentication is passed, further judging whether the access user has the corresponding operation authority. The method specifically comprises the following steps: when a service system accesses a transmission interface through an application adapter or call, identity information (user name/password and CA certificate) must be provided, and the system checks the identity and authority, so that an authorized legal user can operate and complete the operation.
And the second method comprises the following steps: and responding to the login instruction of the system administrator, authenticating the identity of the system administrator, and executing the operation instruction of the system administrator if the identity authentication is passed. The method specifically comprises the following steps: when a user logs in the management platform to perform system management, the user must be subjected to identity authentication and authorization management of the system.
When the user identity of the login system is legal and has the operation right, step S104 is executed: is the data package to be transmitted authenticated according to preset naming rules, is the authentication passed?
Wherein the preset naming rule is as follows: the data package name includes one or more of: organization code, business system code, directory code, structured identification code, hierarchical classification identification and current time. It may be preferable that: the data package (ZIP) name format consists of an organization code, a business system code, a directory code, a structured identification code [ 1-structured, 0-unstructured, 2-combined (structured + unstructured), a hierarchical classification identification, and the current time (accurate to year, month, day, hour, minute and second).
The structured file name includes one or more of: business system coding, directory rule coding, structured identification coding and current time. It may be preferable that: structured data transmission, namely generating a corresponding XML file or JSON file from the packaged XML/JSON format, and explaining the naming rule of the generated XML/JSON file: the method comprises the following steps of encoding a business system, encoding a directory rule, encoding a structured identifier: [ 1-structured, 0-unstructured, 2-combined (structured + unstructured) ] consisting of the current time (accurate to year, month, day, hour, minute, second); distinguishing different types of files by using suffix names, and using the 'XML' as the suffix name of the file if the file format is XML; and if the file format is JSON, using the 'JSON' as a suffix name.
Firstly, judging whether the data packages to be transmitted are named according to the preset naming rule or not according to the preset naming rule, if so, executing the step S105: is the data in the data package to be transmitted verified according to the preset data verification rules, and is the authentication passed? The method specifically comprises the following steps:
and the verification of the access data package according to the configured structured data verification rule is supported, the non-compliance data is filtered, and the information is recorded and fed back to the calling user.
Structured XML format validation, as shown in FIG. 2.
And (4) verifying the structured JSON format, as shown in figure 3.
Wherein, OrgDevCode corresponds to enterprise code and equipment code, xtbgoa corresponds to the root node of business data, and the lower node of the node is specific data content. In the case of batch data, multiple pieces of data are distinguished by configuring multiple xtbgoa, and if each piece of data has an associated attachment, an fjid node, multiple attachments and a 'segmentation' are added.
Step S106: and sending the data package to be transmitted.
Responding to a system access instruction, and judging whether the equipment to be accessed is legal or not; if the equipment to be accessed is legal, authenticating the identity of the access system; if the identity of the access system is legal, authenticating the data package to be transmitted according to a preset naming rule; if the data package to be transmitted passes the authentication, verifying the data in the data package to be transmitted according to a preset data verification rule; and if the data in the data package to be transmitted is legal, sending the data package to be transmitted. Through the multi-layer authentication, the reliability of the access service system and the safety of data transmission are ensured, and the reliability and the robustness of the system in the cross-network and cross-border application scene are further improved.
Further, in order to ensure the security of the data package to be transmitted, the step of "sending the data package to be transmitted" specifically includes the steps of:
responding to a data package sending instruction, and selecting a master key according to the ID of the receiving end equipment;
generating a working key;
reading file data in a data package, and encrypting the file data plaintext through the working key to obtain a file data ciphertext;
calculating a plain text hash value of the file data;
encrypting the working key by using the master key to obtain a working key ciphertext, and calculating working key information to obtain a message authentication code;
sending the work key ciphertext, the file data ciphertext, the message authentication code and a data plaintext hash value to a central server;
the receiving end obtains the work key ciphertext, the file data ciphertext, the message authentication code and a data plaintext hash value from the central server, selects a master key according to the ID of the sending end equipment, and uses the master key to decrypt the work key ciphertext;
verifying whether the message authentication code is correct, if so, decrypting the file data ciphertext through the working key to obtain a file data plaintext to be confirmed, and calculating a plaintext hash value of the file data to be confirmed;
and judging whether the hash value of the file data to be confirmed is consistent with the hash value of the data plaintext, if so, successfully decrypting.
The present embodiment relates to a master key and a working key, wherein the master key is mainly used for encrypting the working key, and does not further improve the security, and further comprising the steps of: judging whether the current master key is used or not, and if the current master key is used, calculating a new master key according to the current master key data, the derivative key and the version number; the derived key is preset. I.e. the master key is used only once, wherein both the version number and the derivative key are preset.
In this embodiment, a unique master key is assigned in advance for each combination of the transmitting end and the receiving end. The method specifically comprises the following steps: if the two transmitters a1 and a2 (which may also be receivers) and the three receivers b1, b2 and b3 (which may also be transmitters) coexist, six combinations a1b1, a1b2, a1b3, a2b1, a2b2 and a2b3 exist. Six uniquely corresponding master keys are assigned to each of these two combinations.
Referring to fig. 4, the specific encryption/decryption process is as follows (wherein steps S401 to S406 are encryption processes and steps S407 to S411 are decryption processes):
step S401: and responding to the file uploading instruction, and selecting the master key according to the ID of the receiving end equipment. The method specifically comprises the following steps: and after receiving the file uploaded by the corresponding service system, the sending end enters a file encryption processing flow, and the master control program selects the master key according to the ID of the receiving end equipment.
Step S402: a working key is generated. The method specifically comprises the following steps: and calling the noise source chip to generate a working key.
Step S403: and reading file data, and encrypting the file data plaintext through the working key to obtain a file data ciphertext. The method for reading file data specifically comprises the following steps: and reading the file data according to the file name. And the file data plaintext encryption processing is completed through the FPGA (SM4_ XTS).
Step S404: and calculating a plain text hash value of the file data. The method specifically comprises the following steps: and (4) finishing the plain text HASH value calculation of the file data through the FPGA (SM3_ HASH).
Step S405: and encrypting the working key by using the master key to obtain a working key ciphertext, and calculating the working key information to obtain a message authentication code. The method specifically comprises the following steps: the work key is encrypted using the master key (SM4_ CBC), and a message authentication code (SM4_ CBC _ MAC) is calculated for the work key information. The method specifically comprises the following steps: the sending end, the receiving end and the server all store the correct format of the message authentication code. The format serves as the initial authentication and information extraction criteria. If the format is not satisfied, the message authentication code is directly considered to be illegal and the information in the message authentication code is not extracted. When sending, the sending end adopts the format to calculate and obtain the message authentication code. Such as: the fixed character with the preset fixed number of bits before the message authentication code is the initial identification message of the information. And then storing the working key information, and storing the ending identification message of the fixed character information after the working key information. And finally, calculating the length information of the work key information and storing the length information at the tail end.
Step S406: and sending the work key ciphertext, the file data ciphertext, the message authentication code and the data plaintext hash value to a central server.
Step S407: and the receiving terminal acquires the work key ciphertext, the file data ciphertext, the message authentication code and the data plaintext hash value from the central server, selects a master key according to the ID of the sending terminal equipment, and uses the master key to decrypt the work key ciphertext.
Step S408: is the message authentication code correct? The method specifically comprises the following steps: and judging whether the message authentication code conforms to the preset format or not according to the preset format. And if the result is correct, the working key information and the length information are proposed again to perform initial judgment. If the message authentication code is correct, the message authentication code is considered to be correct.
If it is correct, execute step S409: and decrypting the file data ciphertext through the working key to obtain a to-be-confirmed file data plaintext, and calculating a to-be-confirmed file data plaintext hash value. The method specifically comprises the following steps: and the receiving end FPGA decrypts the file data ciphertext by using the working key to obtain a to-be-confirmed file data plaintext, and the FPGA calculates a to-be-confirmed file data plaintext hash value.
Step S410: is the hash value of the file data to be confirmed in the plaintext consistent with the hash value of the data in the plaintext? If yes, go to step S411: the decryption is successful.
By the mode, the safety of cross-network and cross-environment data transmission between the sending end and the receiving end can be guaranteed really.
Referring to fig. 2 to 5, in the present embodiment, an embodiment of a cross-network and cross-border based data access security authentication system 500 is as follows:
a cross-network cross-border based data access security authentication system 500, comprising: a transmitting end 501 and a central server 502;
the central server 502 is configured to: and responding to the system access instruction and judging whether the equipment to be accessed is legal or not. The method specifically comprises the following steps: the interface operates at the sender 501 to access the central server 502. The central server 502 determines whether the device to be accessed is legal. Before determining whether the device to be accessed is legal, the legal access device needs to be registered to the corresponding central server 502. The method specifically comprises the following steps: when the equipment is installed and deployed, two cross-network port networks are accessed, and the equipment to be accessed and the IP of the connection center server 502 need to be configured under the condition of ensuring the smooth network; the connectivity with the central network is configured, the network intercommunication situation between the devices is tested, and the legal devices to be accessed are registered to the corresponding central server 502, so that the interconnection and intercommunication of the devices can be realized. Therefore, whether the device to be accessed is legal can be determined by determining whether the device to be accessed is in the registration list of the central server 502. The information stored in the registration list may be information that uniquely identifies the device to be accessed, such as a MAC address corresponding to each device to be accessed.
The sending end 501 is configured to: and if the equipment to be accessed is legal, authenticating the identity of the access system. Two kinds of authentication are mainly involved, which can be specifically as follows:
the first method comprises the following steps: the sending end 501 is further configured to: and authenticating the identity of the access user, and if the identity authentication is passed, further judging whether the access user has the corresponding operation authority. The method specifically comprises the following steps: when a service system accesses a transmission interface through an application adapter or call, identity information (user name/password and CA certificate) must be provided, and the system checks the identity and authority, so that an authorized legal user can operate and complete the operation.
And the second method comprises the following steps: and responding to the login instruction of the system administrator, authenticating the identity of the system administrator, and executing the operation instruction of the system administrator if the identity authentication is passed. The method specifically comprises the following steps: when a user logs in the management platform to perform system management, the user must be subjected to identity authentication and authorization management of the system.
The sending end 501 is further configured to: and if the identity of the access system is legal, authenticating the data package to be transmitted according to a preset naming rule.
Wherein the preset naming rule is as follows: the data package name includes one or more of: organization code, business system code, directory code, structured identification code, hierarchical classification identification and current time. It may be preferable that: the data package (ZIP) name format consists of an organization code, a business system code, a directory code, a structured identification code [ 1-structured, 0-unstructured, 2-combined (structured + unstructured), a hierarchical classification identification, and the current time (accurate to year, month, day, hour, minute and second).
The structured file name includes one or more of: business system coding, directory rule coding, structured identification coding and current time. It may be preferable that: structured data transmission, namely generating a corresponding XML file or JSON file from the packaged XML/JSON format, and explaining the naming rule of the generated XML/JSON file: the method comprises the following steps of encoding a business system, encoding a directory rule, encoding a structured identifier: [ 1-structured, 0-unstructured, 2-combined (structured + unstructured) ] consisting of the current time (accurate to year, month, day, hour, minute, second); distinguishing different types of files by using suffix names, and using the 'XML' as the suffix name of the file if the file format is XML; and if the file format is JSON, using the 'JSON' as a suffix name.
The central server 502 is further configured to: and if the data package to be transmitted passes the authentication, verifying the data in the data package to be transmitted according to a preset data verification rule.
The method specifically comprises the following steps:
and the verification of the access data package according to the configured structured data verification rule is supported, the non-compliance data is filtered, and the information is recorded and fed back to the calling user.
Structured XML format validation, as shown in FIG. 2.
And (4) verifying the structured JSON format, as shown in figure 3.
Wherein, OrgDevCode corresponds to enterprise code and equipment code, xtbgoa corresponds to the root node of business data, and the lower node of the node is specific data content. In the case of batch data, multiple pieces of data are distinguished by configuring multiple xtbgoa, and if each piece of data has an associated attachment, an fjid node, multiple attachments and a 'segmentation' are added.
In a cross-network and cross-border based data access security authentication system 500, a central server 502 is configured to: responding to a system access instruction, and judging whether the equipment to be accessed is legal or not; the transmitting end 501 is configured to: if the equipment to be accessed is legal, authenticating the identity of the access system; the transmitting end 501 is further configured to: if the identity of the access system is legal, authenticating the data package to be transmitted according to a preset naming rule; the central server 502 is also used to: and if the data package to be transmitted passes the authentication, verifying the data in the data package to be transmitted according to a preset data verification rule. Through the multi-layer authentication, the reliability of the access service system and the safety of data transmission are ensured, and the reliability and the robustness of the system in the cross-network and cross-border application scene are further improved.
Further, in order to ensure the security of the data package to be transmitted, the method further comprises the following steps: and (4) receiving the data.
The sending end 501 is configured to: responding to a file uploading instruction, and selecting a master key according to the ID of the receiving end equipment; generating a working key; reading file data, and encrypting the file data plaintext through the working key to obtain a file data ciphertext; calculating a plain text hash value of the file data; encrypting the working key by using the master key to obtain a working key ciphertext, and calculating working key information to obtain a message authentication code; sending the work key ciphertext, the file data ciphertext, the message authentication code, and a data plaintext hash value to a central server 502;
the receiving end obtains the work key ciphertext, the file data ciphertext, the message authentication code and a data plaintext hash value from the central server 502;
the receiving end is further configured to: selecting a master key according to the equipment ID of the sending end 501, and using the master key to decrypt the work key ciphertext;
verifying whether the message authentication code is correct, if so, decrypting the file data ciphertext through the working key to obtain a file data plaintext to be confirmed, and calculating a plaintext hash value of the file data to be confirmed;
and judging whether the hash value of the file data to be confirmed is consistent with the hash value of the data plaintext, if so, successfully decrypting.
Further, the sending end 501 is further configured to: judging whether the current master key is used or not, and if the current master key is used, calculating a new master key according to the current master key data, the derivative key and the version number;
the derived key is preset.
Further, each combination of the sender 501 and the receiver is assigned a unique corresponding master key.
Further, the calling noise source chip of the calling sending terminal 501 generates a working key.
Further, the sending end 501 is further configured to: and reading the file data according to the file name.
By the system, the safety of cross-network and cross-environment data transmission between the sending terminal 501 and the receiving terminal can be ensured in a practical manner.
It should be noted that, although the above embodiments have been described herein, the invention is not limited thereto. Therefore, based on the innovative concepts of the present invention, the technical solutions of the present invention can be directly or indirectly applied to other related technical fields by making changes and modifications to the embodiments described herein, or by using equivalent structures or equivalent processes performed in the content of the present specification and the attached drawings, which are included in the scope of the present invention.

Claims (10)

1. A data access security authentication method based on cross-network and cross-border is characterized by comprising the following steps:
responding to a system access instruction, and judging whether the equipment to be accessed is legal or not;
if the equipment to be accessed is legal, authenticating the identity of the access system;
if the identity of the access system is legal, authenticating the data package to be transmitted according to a preset naming rule;
if the data package to be transmitted passes the authentication, verifying the data in the data package to be transmitted according to a preset data verification rule;
and if the data in the data package to be transmitted is legal, sending the data package to be transmitted.
2. The cross-network cross-border based data access security authentication method as claimed in claim 1, wherein said "authenticating the identity of the access system" specifically further comprises the steps of:
and authenticating the identity of the access user, and if the identity authentication is passed, further judging whether the access user has the corresponding operation authority.
3. The cross-network cross-border based data access security authentication method as claimed in claim 1, wherein said "authenticating the identity of the access system" specifically further comprises the steps of:
and responding to the login instruction of the system administrator, authenticating the identity of the system administrator, and executing the operation instruction of the system administrator if the identity authentication is passed.
4. The cross-network cross-border based data access security authentication method as claimed in claim 1, wherein before said determining whether the device to be accessed is legal, further comprising the steps of:
registering legal access equipment to corresponding central equipment;
the method for judging whether the equipment to be accessed is legal specifically comprises the following steps:
and judging whether the equipment to be accessed is in a registration list of the central equipment.
5. The cross-network cross-border based data access security authentication method as claimed in claim 1, wherein the "preset naming rule" is: the data package name includes one or more of: organization mechanism coding, business system coding, directory coding, structured identification coding, hierarchical classification identification and current time;
the structured file name includes one or more of: business system coding, directory rule coding, structured identification coding and current time.
6. The cross-network cross-border based data access security authentication method according to claim 1, wherein the step of sending the data package to be transmitted specifically comprises the steps of:
responding to a data package sending instruction, and selecting a master key according to the ID of the receiving end equipment;
generating a working key;
reading file data in a data package, and encrypting the file data plaintext through the working key to obtain a file data ciphertext;
calculating a plain text hash value of the file data;
encrypting the working key by using the master key to obtain a working key ciphertext, and calculating working key information to obtain a message authentication code;
sending the work key ciphertext, the file data ciphertext, the message authentication code and a data plaintext hash value to a central server;
the receiving end obtains the work key ciphertext, the file data ciphertext, the message authentication code and a data plaintext hash value from the central server, selects a master key according to the ID of the sending end equipment, and uses the master key to decrypt the work key ciphertext;
verifying whether the message authentication code is correct, if so, decrypting the file data ciphertext through the working key to obtain a file data plaintext to be confirmed, and calculating a plaintext hash value of the file data to be confirmed;
and judging whether the hash value of the file data to be confirmed is consistent with the hash value of the data plaintext, if so, successfully decrypting.
7. A data access security authentication system based on cross-network and cross-border, comprising: a sending terminal and a central server;
the central server is used for: responding to a system access instruction, and judging whether the equipment to be accessed is legal or not;
the sending end is used for: if the equipment to be accessed is legal, authenticating the identity of the access system;
the sending end is further configured to: if the identity of the access system is legal, authenticating the data package to be transmitted according to a preset naming rule;
the central server is further configured to: and if the data package to be transmitted passes the authentication, verifying the data in the data package to be transmitted according to a preset data verification rule.
8. The cross-network cross-border based data access security authentication system of claim 7, wherein the sending end is further configured to: and authenticating the identity of the access user, and if the identity authentication is passed, further judging whether the access user has the corresponding operation authority.
9. The cross-network cross-border based data access security authentication system of claim 7, wherein the sending end is further configured to: and responding to the login instruction of the system administrator, authenticating the identity of the system administrator, and executing the operation instruction of the system administrator if the identity authentication is passed.
10. The cross-network cross-border based data access security authentication system as claimed in claim 7, wherein the "preset naming rule" is: the data package name includes one or more of: organization mechanism coding, business system coding, directory coding, structured identification coding, hierarchical classification identification and current time;
the structured file name includes one or more of: business system coding, directory rule coding, structured identification coding and current time.
CN202011578809.4A 2020-12-28 2020-12-28 Cross-network and cross-border based data access security authentication method and system Active CN112714124B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011578809.4A CN112714124B (en) 2020-12-28 2020-12-28 Cross-network and cross-border based data access security authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011578809.4A CN112714124B (en) 2020-12-28 2020-12-28 Cross-network and cross-border based data access security authentication method and system

Publications (2)

Publication Number Publication Date
CN112714124A true CN112714124A (en) 2021-04-27
CN112714124B CN112714124B (en) 2023-04-18

Family

ID=75545704

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011578809.4A Active CN112714124B (en) 2020-12-28 2020-12-28 Cross-network and cross-border based data access security authentication method and system

Country Status (1)

Country Link
CN (1) CN112714124B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112702355A (en) * 2020-12-29 2021-04-23 福建正孚软件有限公司 Cross-border file transmission method and system fusing operation and maintenance system
CN112788005A (en) * 2020-12-29 2021-05-11 福建正孚软件有限公司 Software and hardware combined cross-border transmission method and system for improving safety

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120227096A1 (en) * 2011-03-04 2012-09-06 Intercede Limited Method and apparatus for transferring data
CN104363221A (en) * 2014-11-10 2015-02-18 青岛微智慧信息有限公司 Network safety isolation file transmission control method
CN106603461A (en) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 Business authentication method, apparatus and system
US20170302653A1 (en) * 2016-04-14 2017-10-19 Sophos Limited Portable encryption format
CN107633402A (en) * 2017-09-14 2018-01-26 深圳市华付信息技术有限公司 A kind of method and its system for being used to polymerize certification
CN111478923A (en) * 2020-04-28 2020-07-31 华为技术有限公司 Access request response method and device and electronic equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120227096A1 (en) * 2011-03-04 2012-09-06 Intercede Limited Method and apparatus for transferring data
CN104363221A (en) * 2014-11-10 2015-02-18 青岛微智慧信息有限公司 Network safety isolation file transmission control method
CN106603461A (en) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 Business authentication method, apparatus and system
US20170302653A1 (en) * 2016-04-14 2017-10-19 Sophos Limited Portable encryption format
CN107633402A (en) * 2017-09-14 2018-01-26 深圳市华付信息技术有限公司 A kind of method and its system for being used to polymerize certification
CN111478923A (en) * 2020-04-28 2020-07-31 华为技术有限公司 Access request response method and device and electronic equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112702355A (en) * 2020-12-29 2021-04-23 福建正孚软件有限公司 Cross-border file transmission method and system fusing operation and maintenance system
CN112788005A (en) * 2020-12-29 2021-05-11 福建正孚软件有限公司 Software and hardware combined cross-border transmission method and system for improving safety

Also Published As

Publication number Publication date
CN112714124B (en) 2023-04-18

Similar Documents

Publication Publication Date Title
CN111447214A (en) Method for centralized service of public key and password based on fingerprint identification
CN105027493A (en) Secure mobile app connection bus
CN112714124B (en) Cross-network and cross-border based data access security authentication method and system
CN111800378B (en) Login authentication method, device, system and storage medium
CA2986401C (en) Authenticating a system based on a certificate
CN109246055B (en) Medical information safety interaction system and method
CN113872940B (en) Access control method, device and equipment based on NC-Link
CN111399980A (en) Safety authentication method, device and system for container organizer
WO2021170049A1 (en) Method and apparatus for recording access behavior
CN112099964A (en) Interface calling method and device, storage medium and electronic device
CN101321209B (en) Safe communication distributed data extraction method and implementing system based on PSTN
CN115150109A (en) Authentication method, device and related equipment
CN113992336B (en) Encryption network offline data trusted exchange method and device based on block chain
CN112788005B (en) Cross-border transmission method and system for improving safety by combining software and hardware
CN113676446B (en) Communication network safety error-proof control method, system, electronic equipment and medium
CN113794563B (en) Communication network security control method and system
CN112422289B (en) Method and system for offline security distribution of digital certificate of NB-IoT (NB-IoT) terminal equipment
CN112769778A (en) Encryption and decryption processing method and system based on cross-network and cross-border data secure transmission
CN110572352A (en) intelligent distribution network security access platform and implementation method thereof
CN112822217A (en) Server access method, device, equipment and storage medium
US20230308266A1 (en) Method and System for Onboarding an IOT Device
CN118041519A (en) Quantum key-fused server cipher machine and information system
CN115278676A (en) WAPI certificate application method, wireless terminal and certificate discriminator
CN116647410A (en) VPN remote login method, device, equipment and medium
CN116319993A (en) Security business service request access system, method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant