CN113282948A - Information system using method and information system - Google Patents

Information system using method and information system Download PDF

Info

Publication number
CN113282948A
CN113282948A CN202110827689.5A CN202110827689A CN113282948A CN 113282948 A CN113282948 A CN 113282948A CN 202110827689 A CN202110827689 A CN 202110827689A CN 113282948 A CN113282948 A CN 113282948A
Authority
CN
China
Prior art keywords
client
component
user information
user
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110827689.5A
Other languages
Chinese (zh)
Inventor
刘程
白京
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Huawei Technology Stock Co ltd
Original Assignee
Chengdu Huawei Technology Stock Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Huawei Technology Stock Co ltd filed Critical Chengdu Huawei Technology Stock Co ltd
Priority to CN202110827689.5A priority Critical patent/CN113282948A/en
Publication of CN113282948A publication Critical patent/CN113282948A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The invention discloses an information system using method and an information system, belonging to the field of system access; when the client component sends an operation request to the server component, the server component searches user information of the client component corresponding to the machine code in a client management program according to the machine code because the operation request comprises the machine code; then, whether the client component has the operation authority is determined according to the user information, and the operation request is responded only when the client component has the operation authority, so that the information safety is ensured; meanwhile, since the user information is stored in the client management program, when the authorization of the client component is to be cancelled, the user information of the client management program is directly deleted, and the deleted server component cannot acquire the user information, namely, the client component is judged to have no operation authority. Therefore, the information system of the scheme of the application can ensure the information security and cancel the authorization of the client at any time.

Description

Information system using method and information system
Technical Field
The present invention relates to system access technologies, and in particular, to an information system using method and an information system.
Background
Currently, the most widely used information system security access technology is HTTPS (full name: Hyper Text Transfer Protocol over secure token Layer), which is an HTTP channel with security as a target, and the security of a transmission process is ensured through transmission encryption and identity authentication on the basis of HTTP. HTTPS adds SSL (Secure Sockets Layer Secure socket protocol) on the basis of HTTP, the Secure basis of HTTPS is SSL, and therefore SSL is needed for encrypting detailed contents. HTTPS has a default port other than HTTP and an encryption/authentication layer (between HTTP and TCP). The system provides authentication and encrypted communication methods. It is widely used for security sensitive communications on the world wide web, such as transaction payments.
The bidirectional identity authentication can solve the problem of mutual trust between the server and the client. Before data transmission, the client and the server authenticate the identity of the two parties through an X.509 certificate. The specific process is as follows:
(1) the client initiates an SSL handshake message to the server for connection.
(2) The server sends the certificate to the client.
(3) The client checks the server certificate and confirms whether the certificate is issued by the certificate issuing authority trusted by the client. If not, the decision of whether to continue communication is given to the user for selection. If the check is correct or the user chooses to continue, the client approves the identity of the server.
(4) The server asks the client to send a certificate and checks whether it is authenticated. If the authentication fails, the connection is closed, and if the authentication succeeds, the public key of the client is obtained from the client certificate, which is generally 1024 bits or 2048 bits. Therefore, the identity authentication of the server client and the identity authentication of the server client are finished, and the server client and the identity authentication of the server client ensure that the server client and the identity authentication of the server client are both real and reliable.
However, HTTPS suffers from the following problems:
the credit chain system of the SSL certificate (a) is not secure. Man-in-the-middle attacks are equally feasible, especially in situations where the CA root certificate may be controlled in some countries.
And (II) the certificate for the client only has a validity period, and the requirements of canceling authorization at any time and immediately taking effect cannot be met.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides an information system using method and an information system, which aim to solve the problems that the existing information system is unsafe to access and cannot cancel the authorization of a client at any time.
The technical scheme adopted by the invention for solving the technical problems is as follows:
on the one hand, the method comprises the following steps of,
an information system use method, comprising the steps of:
a client component sends an operation request to a server component, wherein the operation request comprises a machine code of the client component;
the server-side component acquires user information from a client-side management program according to the machine code, wherein the user information is pre-created in the client-side management program for the client-side component;
the server-side component judges whether the client-side component has the operation authority or not according to the user information;
if yes, responding to the operation request; and if not, not responding to the operation request.
Further, the pre-creating, in the client hypervisor, the user information for the client component includes:
a client component acquires a machine code of the client component and submits the machine code to the client management program, wherein the machine code is a unique identifier of the client component;
the client management program creates and stores user information for the client according to the machine code; the stored user information includes: a user name, a machine code, a registration time, an authorization validity period, and a public key of a random key pair.
Further, the client management program, after creating and storing the user information for the client according to the machine code, further includes:
the client management program sends the user information and the private key of the random key pair to the client component as a user key;
the client side component verifies the user key after receiving the user key; and storing the information in the client component after the authentication is passed.
Further, the verifying the user key includes at least one of:
verifying whether the user key is sent by a client management program or not by using a public key in the user information;
judging whether the user key data structure is correct or not according to an expected data structure;
judging whether the user key is the client component according to whether the machine code in the user key is consistent with the machine code read by the client component in real time according to a preset algorithm;
and judging whether the time for receiving the user key is within the authorized valid period or not according to the authorized valid period in the user key.
Further, before the client component sends the operation request to the server component, the method further includes:
the client component verifies whether the user key stored in the client component is valid;
if the key is valid, judging whether the user key is still in the valid period according to the authorized valid period in the user key;
if so, encrypting the machine code by using a private key as a part of the operation request; and if not, not sending the operation request.
Further, the step of the server component determining whether the client component has the operation right according to the user information includes:
verifying whether the operation request is sent by the client component;
if yes, verifying whether the time when the operation request is received is within the authorization validity period;
if so, judging that the client component has the operation authority.
Further, the operation request comprises a login request and a service processing request.
Further, before the client component sends the service processing request, the method also comprises the step of encrypting the service data;
after receiving the service processing request, the server-side component decrypts the service processing request according to the public key acquired from the client-side management program and processes the decrypted service processing request; encrypting the data obtained after the processing and sending the data to the client component;
and the client side component decrypts the encrypted data after receiving the encrypted data.
Further, after the client component creates the user information in the client management program in advance, the method further includes:
when the client hypervisor receives an authorization to cancel the client component; the client side management program deletes the user information created for the client side component.
On the other hand, in the case of a liquid,
an information system, comprising: a client component, a client management program and a server component;
the client component is used for sending an operation request to the server component, wherein the operation request comprises the machine code of the client component;
the server-side component is used for acquiring user information from a client-side management program according to the machine code after receiving a request sent by the client-side component, wherein the user information is pre-created in the client-side management program for the client-side component; the server-side component is also used for judging whether the client-side component has the operation authority or not according to the user information; if yes, responding to the operation request; and if not, not responding to the operation request.
This application adopts above technical scheme, possesses following beneficial effect at least:
the technical scheme of the application provides an information system using method and an information system, when a client component sends an operation request to a server component, the server component searches user information of the client component corresponding to a machine code in a client management program according to the machine code because the operation request comprises the machine code; and the server component judges whether the client component has the operation authority according to the user information, if so, the server component responds to the operation request, and if not, the server component does not respond to the operation request. The service end component searches for the user information according to the machine code; therefore, the correspondence between the user information and the authorized terminal equipment is ensured; then, whether the client component has the operation authority is determined according to the user information, and the operation request is responded only when the client component has the operation authority, so that the information safety is ensured; meanwhile, since the user information is stored in the client management program, when the authorization of the client component is to be cancelled, the user information of the client management program is directly deleted, and the deleted server component cannot acquire the user information, namely, the client component is judged to have no operation authority. Therefore, the information system of the scheme of the application can ensure the information security and cancel the authorization of the client at any time.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of a method for using an information system according to an embodiment of the present invention;
fig. 2 is a flowchart of pre-creating user information according to an embodiment of the present invention;
FIG. 3 is a flow chart of a login request according to an embodiment of the present invention;
fig. 4 is a flow chart of a communication request according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an information system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following detailed description of the technical solutions of the present invention is provided with reference to the accompanying drawings and examples. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without making any creative effort, shall fall within the protection scope of the present application.
First, some techniques are explained, and (a) encryption technique
(1) Symmetric encryption technology
Symmetric encryption, in which the same Key is used for encryption and decryption, is widely used today, and for example, the DES encryption standard adopted by the U.S. government is a typical symmetric encryption method, and the Session Key length of the symmetric encryption method is 56 bits.
(2) Asymmetric encryption technology
Asymmetric encryption is that encryption and decryption use different keys, and usually there are two keys, called "public key" and "private key", which must be used in pair, otherwise the encrypted file cannot be opened. The public key is published to the outside, and the private key cannot be known only by a person of a holder. The advantage is that the symmetric encryption method is difficult to tell the opposite party without the secret key if the encrypted file is transmitted on the network, and the symmetric encryption method can be stolen and heard by other methods. The asymmetric encryption method has two keys, and the public key can be published, so that people can know that the recipient only needs to use the private key when decrypting, thereby well avoiding the problem of the transmission security of the keys.
(II) digital certificate
The digital certificate is a digital certificate which marks identity information of each communication party in internet communication and can be used by people on the internet to identify the identity of the other party. The method mainly has the following three characteristics:
first, security. When a user applies for a certificate, two different certificates are used for information interaction of a working computer and a verification user respectively, if the used computers are different, the user needs to obtain the certificate for verifying the computer used by the user again, backup cannot be carried out, and therefore even if other people steal the certificate, account information of the user cannot be obtained, and account information is guaranteed.
Second, uniqueness. The digital certificate gives corresponding access rights according to different user identities, if the computer is replaced to carry out account login, and the user does not have certificate backup, the operation cannot be implemented, only account information can be checked, the digital certificate is just like a key, and the uniqueness is embodied as that the key can only open a lock.
Third, convenience. The user can apply for, open and use the digital certificate immediately, and can select the corresponding digital certificate guarantee technology according to the user's requirement. The user can directly carry out safety protection through the digital certificate without mastering the encryption technology or principle, and the method is very convenient and efficient. The digital certificate is issued by a CA center, the CA center is a third party with authority and extremely high dependence, and the qualification certificate is issued by the country, so that the safety of network data information can be effectively guaranteed, and the country where the data information is located is mastered. When a user browses network data information or carries out online transaction, the safety of information transmission and transaction can be guaranteed by using the digital certificate.
It is to be appreciated that the client component is a module in the client and the server component is a module in the server for performing the following functions. The client hypervisor is a separately provided module that can authorize client components, i.e., create user information, and interact with server components (even if the client is not already logged in).
Referring to fig. 1, an embodiment of the present invention provides an information system using method, as shown in fig. 1, including the following steps:
the client component sends an operation request to the server component, wherein the operation request comprises a machine code of the client component;
the server-side component acquires user information from the client-side management program according to the machine code, wherein the user information is pre-created in the client-side management program for the client-side component;
the server-side component judges whether the client-side component has the operation authority or not according to the user information;
if yes, responding to the operation request; if not, no response is made to the operation request.
In the information system using method provided by the embodiment of the invention, when the client component sends the operation request to the server component, the server component searches the user information of the client component corresponding to the machine code in the client management program according to the machine code because the operation request comprises the machine code; and the server component judges whether the client component has the operation authority according to the user information, if so, the server component responds to the operation request, and if not, the server component does not respond to the operation request. The service end component searches for the user information according to the machine code; therefore, the correspondence between the user information and the authorized terminal equipment is ensured; then, whether the client component has the operation authority is determined according to the user information, and the operation request is responded only when the client component has the operation authority, so that the information safety is ensured; meanwhile, since the user information is stored in the client management program, when the authorization of the client component is to be cancelled, the user information of the client management program is directly deleted, and the deleted server component cannot acquire the user information, namely, the client component is judged to have no operation authority. Therefore, the information system of the scheme of the application can ensure the information security and cancel the authorization of the client at any time.
In an embodiment, an embodiment of the present invention further provides another information system using method, where the pre-creating, by the client component, the user information in the client hypervisor includes:
the client component acquires a machine code of the client component and submits the machine code to a client management program, wherein the machine code is a unique identifier of the client component;
the client management program creates and stores user information for the client according to the machine code; the user information stored includes: a user name, a machine code, a registration time, an authorization validity period, and a public key of a random key pair. It should be noted that the user name is the name of the client component, and the machine code is the unique identifier of the client component; registration time is the time when the user information is created; the authorization validity period is the validity period of the user information and can be changed at any time. The random key pair is a randomly generated key pair, including a public key and a private key.
After the user information is created, the client management program sends the user information and the private key of the random key pair to the client component as a user key; the client component verifies the user key after receiving the user key; after the verification is passed, the data is stored in the client component.
The verification of the user key comprises at least one of the following verification modes:
verifying whether the user key is sent by the client management program or not by using a public key in the user information;
judging whether the user key data structure is correct or not according to an expected data structure; illustratively, if the expected data structure includes user information and a private key, then a determination is made as to whether the user key includes the user information and the private key.
Judging whether the user key is the client component according to the fact that whether the machine code in the user key is consistent with the machine code read by the client component in real time according to a preset algorithm;
and judging whether the time for receiving the user key is within the authorization validity period or not according to the authorization validity period in the user key.
With reference to fig. 2, the steps of creating the user information in advance are specifically as follows:
(1) client component-get machine code: hardware information (CPU factory number + hard disk factory number) of a client computer or a mobile phone tablet is obtained, and a result is obtained through calculation of an MD5 abstract algorithm. And outputting the result in a hexadecimal character string format to obtain a machine code which has the length of 32 and can uniquely represent the hardware characteristic of the client.
(2) And (3) offline submission: the client machine code is provided to the system client hypervisor by various means including, but not limited to, QQ, wechat, stapling or mailing, texting, or usb-disk copying.
(3) Client hypervisor-create user information: create user, main information: user name, machine code, registration time, authorization expiration date. The system will automatically create a key pair for the user and put the public key of the key pair into the user information and send the private key to the client component.
(4) Client hypervisor-derived user key: user information is selected and exported as a key (binary file).
(5) And (3) off-line emission: the user key is issued to the user by various means including, but not limited to, QQ, WeChat, nail or mail, text message, or USB flash disk copy.
(6) Client component-import user key: and analyzing the user key, and storing the user key in the local after verification for subsequent reading. A verification step:
firstly, checking the signature: and verifying whether the key issued by the client management program is the key issued by the client management program or not by using a public key of the client management program which is built in advance.
Secondly, loading data: the data is read according to a desired data structure.
Comparing the machine codes: confirming that this key is local.
Checking the validity period: confirming that the validity period in the key is not exceeded on the day.
In the actual use process, the operation requests are divided into two categories, one is login requests, and the other is service processing requests such as communication requests; the following describes the present invention with a login request and a communication request, respectively.
As shown in fig. 3, the login operation steps are as follows:
(1) client component-read local key: and reading the local key, and verifying the validity through the public key of the authorization terminal. And if the signature verification is successful, verifying the authorization term.
(2) Client component-generating login information: and acquiring the machine code and encrypting the machine code through a user private key.
(3) Submitting to a server for verification: and submitting the login information to the server.
(4) Service end component-verify user signature and save record: and verifying the login information by using a public key prestored in the user information, and verifying the authorization validity period after the login information is successfully verified (the authorization validity period can be changed at any time and is immediately effective by a client management program). And if so, allowing login.
(5) Client component-process verification result: and the client processes subsequent logic according to the verification result of the server.
Before the client component sends the communication request, the method also comprises the step of encrypting the service data; after receiving the communication request, the server-side component decrypts the communication request according to the public key acquired from the client-side management program and processes the decrypted communication request; encrypting the data obtained after the processing and sending the data to a client component; the client component decrypts the encrypted data after receiving the encrypted data.
Specifically, as shown in fig. 4:
(1) client component-preparation of business data: service data is prepared and serialized into a binary stream.
(2) Client component-encrypted data: and encrypting and signing the service data by using a user private key.
(3) Service end component-decrypt data: and verifying and decrypting the data submitted by the client by using a public key prestored in the user information.
(4) Service end component-processing business logic: the business logic of the information system itself is processed and the returned results are serialized into a binary stream.
(5) Service end component-encrypted data: and encrypting and signing the data by using a public key prestored in the user information.
(6) Client component-decrypted data: and verifying and decrypting the service data by using the private key of the user.
(7) Client component-processing business logic: and processing the service logic by using the decrypted data.
It should be noted that, when the client component sends the service processing request, local verification is also required, including the client component verifying whether the user key stored in the client component is valid; if the key is valid, judging whether the user key is still in the valid period according to the valid period of the authorization in the user key; if so, encrypting the machine code by using a private key as a part of the operation request; if not, no operation request is sent.
As an optional mode in the embodiment of the present invention, after the client component creates user information in the client management program in advance, the client management program receives an authorization to cancel the client component; the client side management program deletes the user information created for the client side component.
The information system using method provided by the embodiment of the invention is characterized in that the client component creates user information in the client management program in advance, then when the client component sends an operation request, the server component verifies the client component according to the user information in the client management program, and the request of the client component is responded by the server component after verification. Before the client component sends the operation request, checking whether the locally stored user key is valid; the data is effectively sent to ensure the safety in sending, and in the process of service processing requests, the data is encrypted when the client side assembly and the server side assembly send the data to ensure the safety of the data. When the server-side component receives any operation request, the user information in the client-side management program needs to be acquired, so that after the user information in the client-side management program is deleted, the server-side component searches the client-side component information in the client-side management program according to the machine code (the client-side component information is deleted in the client-side management program and cannot be searched), and the client-side component is returned with error information due to the fact that no legal client-side information exists and the verification fails. In this way, the embodiment of the invention can cancel the authorization at any time.
As shown in fig. 5, an embodiment of the present invention provides an information system, including: a client component 11 and a client hypervisor 12 and a server component 13;
the client component 11 is used for sending an operation request to the server component 13, wherein the operation request comprises the machine code of the client component 11;
the server component 13 is configured to, after receiving the request sent by the client component 11, obtain user information from the client management program 12 according to the machine code, where the user information is created in advance in the client management program 12 for the client component 11; the server component 13 is further configured to determine whether the client component 11 has an operation right according to the user information; if yes, responding to the operation request; and if not, not responding to the operation request.
The technical scheme of the invention provides an information system, wherein a client component sends an operation request to a server component; when the server-side component receives the operation request, user information is obtained from the client-side management program, and authentication verification is carried out on the client-side component according to the obtained user information; and finally, determining whether to respond to the request according to the authentication result. Whether the server-side component responds to the request is determined according to a verification result obtained after the authentication verification is carried out on the client-side component, so that the information safety can be ensured as long as the rigor of the authentication verification is ensured; meanwhile, because the user information required by authentication verification is stored in the client management program, when the authorization of the client component is to be cancelled, the user information of the client management program is directly deleted. Therefore, the information system provided by the embodiment of the invention can ensure the information safety and cancel the authorization of the client at any time.
It is understood that the same or similar parts in the above embodiments may be mutually referred to, and the same or similar parts in other embodiments may be referred to for the content which is not described in detail in some embodiments.
It should be noted that, in the description of the present application, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Further, in the description of the present application, the meaning of "a plurality" means at least two unless otherwise specified.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and the scope of the preferred embodiments of the present application includes other implementations in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware associated with program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present application, and that variations, modifications, substitutions and alterations may be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.

Claims (10)

1. An information system use method, comprising the steps of:
a client component sends an operation request to a server component, wherein the operation request comprises a machine code of the client component;
the server-side component acquires user information from a client-side management program according to the machine code, wherein the user information is pre-created in the client-side management program for the client-side component;
the server-side component judges whether the client-side component has the operation authority or not according to the user information;
if yes, responding to the operation request; and if not, not responding to the operation request.
2. The method of claim 1, wherein: the pre-creating of the user information in the client management program for the client component comprises:
a client component acquires a machine code of the client component and submits the machine code to the client management program, wherein the machine code is a unique identifier of the client component;
the client management program creates and stores user information for the client according to the machine code; the stored user information includes: a user name, a machine code, a registration time, an authorization validity period, and a public key of a random key pair.
3. The method of claim 2, wherein the client hypervisor creating and saving user information for the client according to the machine code further comprises:
the client management program sends the user information and the private key of the random key pair to the client component as a user key;
the client side component verifies the user key after receiving the user key; and storing the information in the client component after the authentication is passed.
4. The method of claim 3, wherein: the verifying the user key comprises at least one of the following modes:
verifying whether the user key is sent by a client management program or not by using a public key in the user information;
judging whether the user key data structure is correct or not according to an expected data structure;
judging whether the user key is the client component according to whether the machine code in the user key is consistent with the machine code read by the client component in real time according to a preset algorithm;
and judging whether the time for receiving the user key is within the authorized valid period or not according to the authorized valid period in the user key.
5. The method of claim 3, wherein: before the client component sends the operation request to the server component, the method further comprises the following steps:
the client component verifies whether the user key stored in the client component is valid;
if the key is valid, judging whether the user key is still in the valid period according to the authorized valid period in the user key;
if so, encrypting the machine code by using a private key as a part of the operation request; and if not, not sending the operation request.
6. The method of claim 1, wherein: the step that the server component judges whether the client component has the operation authority according to the user information comprises the following steps:
verifying whether the operation request is sent by the client component;
if yes, verifying whether the time when the operation request is received is within the authorization validity period;
if so, judging that the client component has the operation authority.
7. The method according to any one of claims 1-6, wherein: the operation request comprises a login request and a service processing request.
8. The method of claim 7, wherein:
before the client side component sends the service processing request, the method also comprises the step of encrypting the service data;
after receiving the service processing request, the server-side component decrypts the service processing request according to the public key acquired from the client-side management program and processes the decrypted service processing request; encrypting the data obtained after the processing and sending the data to the client component;
and the client side component decrypts the encrypted data after receiving the encrypted data.
9. The method of claim 1, wherein after the client component pre-creates user information in the client hypervisor, further comprising:
when the client side management program receives the authorization to cancel the client side component, the client side management program deletes the user information created for the client side component.
10. An information system, comprising: a client component, a client management program and a server component;
the client component is used for sending an operation request to the server component, wherein the operation request comprises the machine code of the client component;
the server-side component is used for acquiring user information from a client-side management program according to the machine code after receiving a request sent by the client-side component, wherein the user information is pre-created in the client-side management program for the client-side component; the server-side component is also used for judging whether the client-side component has the operation authority or not according to the user information; if yes, responding to the operation request; and if not, not responding to the operation request.
CN202110827689.5A 2021-07-22 2021-07-22 Information system using method and information system Pending CN113282948A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110827689.5A CN113282948A (en) 2021-07-22 2021-07-22 Information system using method and information system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110827689.5A CN113282948A (en) 2021-07-22 2021-07-22 Information system using method and information system

Publications (1)

Publication Number Publication Date
CN113282948A true CN113282948A (en) 2021-08-20

Family

ID=77286905

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110827689.5A Pending CN113282948A (en) 2021-07-22 2021-07-22 Information system using method and information system

Country Status (1)

Country Link
CN (1) CN113282948A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105306417A (en) * 2014-06-25 2016-02-03 深圳市华夏双赢通信有限公司 Network data distribution method based on super router and network system
CN107358122A (en) * 2017-07-24 2017-11-17 郑州云海信息技术有限公司 The access management method and system of a kind of data storage
CN110489394A (en) * 2019-07-23 2019-11-22 中国平安人寿保险股份有限公司 Intermediate data processing method and equipment
CN110841297A (en) * 2019-11-14 2020-02-28 网易(杭州)网络有限公司 Data processing method and device and machine readable medium
CN111104690A (en) * 2019-11-22 2020-05-05 北京三快在线科技有限公司 Document monitoring method and device, server and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105306417A (en) * 2014-06-25 2016-02-03 深圳市华夏双赢通信有限公司 Network data distribution method based on super router and network system
CN107358122A (en) * 2017-07-24 2017-11-17 郑州云海信息技术有限公司 The access management method and system of a kind of data storage
CN110489394A (en) * 2019-07-23 2019-11-22 中国平安人寿保险股份有限公司 Intermediate data processing method and equipment
CN110841297A (en) * 2019-11-14 2020-02-28 网易(杭州)网络有限公司 Data processing method and device and machine readable medium
CN111104690A (en) * 2019-11-22 2020-05-05 北京三快在线科技有限公司 Document monitoring method and device, server and storage medium

Similar Documents

Publication Publication Date Title
US11128477B2 (en) Electronic certification system
EP3661120B1 (en) Method and apparatus for security authentication
US20200028699A1 (en) Digital certificate management
US9912486B1 (en) Countersigned certificates
US9900163B2 (en) Facilitating secure online transactions
US9888037B1 (en) Cipher suite negotiation
JP5860815B2 (en) System and method for enforcing computer policy
US6134327A (en) Method and apparatus for creating communities of trust in a secure communication system
US7568114B1 (en) Secure transaction processor
EP1498800B1 (en) Security link management in dynamic networks
US7051204B2 (en) Methods and system for providing a public key fingerprint list in a PK system
US9137017B2 (en) Key recovery mechanism
US7689828B2 (en) System and method for implementing digital signature using one time private keys
CA2357792C (en) Method and device for performing secure transactions
EP3149887B1 (en) Method and system for creating a certificate to authenticate a user identity
US6215872B1 (en) Method for creating communities of trust in a secure communication system
JP2009541817A (en) Single sign-on between systems
CN113572740B (en) Cloud management platform authentication encryption method based on state password
KR20120053929A (en) The agent system for digital signature using sign private key with double encryption and method thereof features to store in web storage
EP1653387A1 (en) Password exposure elimination in Attribute Certificate issuing
JP2001186122A (en) Authentication system and authentication method
CN113051540A (en) Application program interface safety grading treatment method
JP5186648B2 (en) System and method for facilitating secure online transactions
CN114244508A (en) Data encryption method, device, equipment and storage medium
JP6533542B2 (en) Secret key replication system, terminal and secret key replication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210820

RJ01 Rejection of invention patent application after publication