CN113486348A

CN113486348A - API service security control system and method for open bank

Info

Publication number: CN113486348A
Application number: CN202110740530.XA
Authority: CN
Inventors: 赵炎; 彭云; 杨洋; 周军; 吴一凡
Original assignee: China Construction Bank Corp
Current assignee: China Construction Bank Corp
Priority date: 2021-06-30
Filing date: 2021-06-30
Publication date: 2021-10-08

Abstract

The invention relates to the field of network security, and provides an API service security control system and method for an open bank, wherein the system comprises: the mobile terminal SDK is used for sending the communication message to the cooperative mechanism server; entering an entry address of a product, generating an encrypted transaction message and sending the encrypted transaction message to an API gateway; the cooperation mechanism server is used for sending the token application request message to the API gateway after the identity identification and authentication of the application program is successful; the open bank API gateway is used for generating an access token and sending the access token to the open bank background system; and returning to the mobile terminal SDK: an entry address, an access token, and a key for the product; sending a transaction message request to an open bank background system; the open bank background system is used for carrying out risk assessment and sending an assessment result to the API gateway; and performing anti-unauthorized verification and transaction behavior analysis, and sending the response message to the API gateway. User data leakage is avoided, and fund loss is reduced.

Description

API service security control system and method for open bank

Technical Field

The invention relates to the technical field of network security, in particular to an API service security control system and method for an open bank.

Background

Open banks are translated from Open Banking in english, proposed by the united kingdom, and originated and popularized as a data sharing and Open data exploration in the Banking industry in the united kingdom and the european union, which is a secure way for providers to access the financial information of customers using Open API technology. On one hand, the customer can know the own account in more detail; on the other hand, the customer may enjoy better financial services through a third party provider. The open bank platform is used as an open financial service platform, user experience is used as guidance, an ecological scene is used as a touch point, the core capacity of a financial institution is used as support, and the open bank platform is built and shared with main bodies such as clients, employees, suppliers and technology developers by means of modern technologies, so that first-class financial service is provided for the clients.

The business value of open banks is that commercial banks develop commercial collaboration with partners by means of an API, breaking the previous technical barrier. Thus, only the obligation to be effective in data protection will allow the service to develop in the long run. However, when an open bank carries out API services, the use security of the API can only be restricted by a cooperation protocol, and serious vulnerabilities such as malicious skipping of service verification steps and the like caused by the deliberate of a cooperation organization or system vulnerabilities of the bank exist, so that the events of user data leakage or capital loss occur.

Disclosure of Invention

The embodiment of the invention provides an API service security control system of an open bank, which is used for avoiding user data leakage and reducing fund loss, and comprises the following components:

the mobile terminal SDK is used for receiving the user identification information sent by the application program and collecting the application program use information; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of a cooperative mechanism service end for identity identification authentication; entering an entry address of a product returned by the API gateway of the open bank, generating an encrypted transaction message by using the access token and the secret key, and sending the encrypted transaction message to the API gateway of the open bank;

the cooperation mechanism server is used for receiving the communication message sent by the mobile terminal SDK and carrying out identity identification authentication on the application program according to the communication message; after the identity recognition and authentication are successful, converting the communication message to obtain a token application request message, and sending the token application request message to the open bank API gateway;

the open bank API gateway is used for receiving a token application request message sent by the cooperative mechanism server, generating an access token according to the token application request message, and sending the access token to an open bank background system; and returning to the mobile terminal SDK according to the evaluation result fed back by the open bank background system: an entry address, an access token, and a key for the product; receiving an encrypted transaction message sent by a mobile terminal SDK, and sending a transaction message request to an open bank background system according to the encrypted transaction message; receiving a response message returned by the open bank background system, determining a transaction response result according to the response message, and sending the transaction response result to the mobile terminal SDK;

the open bank background system is used for receiving the access token, carrying out risk assessment and sending an assessment result to the open bank API gateway; and receiving the transaction message request, performing anti-unauthorized verification and transaction behavior analysis according to the transaction message request to obtain a response message, and sending the response message to the open bank API gateway.

In a specific embodiment, the collaboration service end is specifically configured to:

receiving the communication message sent by the SDK of the mobile terminal, verifying whether the application program is a counterfeit according to the communication message, and if the verification result is a non-counterfeit, determining that the identity identification authentication is successful;

after the identity recognition and authentication are successful, determining user identity information according to the communication message;

and converting the user identity information into identity information of an open bank system, replacing the user identity information in the communication message by using the identity information of the open bank system to obtain a token application request message, and sending the token application request message to an API gateway of the open bank.

In a specific embodiment, the mobile terminal SDK is specifically configured to:

when the mobile terminal SDK is initialized, receiving user identification information sent by an application program, and collecting application program use information; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of a cooperative mechanism service end for identity identification authentication;

when the mobile terminal SDK page mode is transacted, opening a webpage view control and jumping to the entry address of the product; and assembling the access token into a transaction message, encrypting the transaction message by using the secret key to generate an encrypted transaction message, and sending the encrypted transaction message to the API gateway of the open bank.

In a specific embodiment, when the mobile terminal SDK is initialized, the API gateway of the open bank is specifically configured to:

receiving a token application request message sent by the cooperative mechanism server, and performing permission verification according to the token application request message;

after the permission verification is passed, generating an access token, and sending the access token to a product service back-end component of the open bank background system;

receiving user element information and main transaction account information returned by the product service back-end component, caching the user element information and the main transaction account information into Redis by taking the access token as a key and the user element information and the main transaction account information as values;

according to the information cached in the Redis, a risk evaluation request is sent to a risk control platform of an open bank background system, and an evaluation result fed back by the risk control platform is received;

determining whether to approve the access of the mobile terminal SDK according to the evaluation result fed back by the risk control platform;

and when the access of the mobile terminal SDK is approved, returning to the mobile terminal SDK: the entry address of the product, the access token and the key.

Accordingly, in a specific embodiment, the open bank background system includes:

the product service back-end component is used for receiving the access token sent by the API gateway of the open bank, identifying the access token and obtaining user element information and main transaction account information of the user; returning the user element information and the main transaction account information of the user to the open bank API gateway;

the risk control platform is used for receiving a risk evaluation request initiated by the API gateway of the open bank and determining application program use information and user element information according to the risk evaluation request; and performing risk assessment by using the application program use information and the user element information, determining an assessment result, and feeding the assessment result back to the API gateway of the open bank.

In a specific embodiment, when the mobile terminal SDK page mode transacts, the open bank API gateway is specifically configured to:

receiving an encrypted transaction message sent by a mobile terminal SDK, and decrypting the encrypted transaction message;

carrying out token verification on the decrypted transaction message, and sending a transaction message request to a product service back-end component of the open bank background system after the verification is passed;

and receiving a response message returned by the open bank background system, determining a transaction response result according to the response message, and sending the transaction response result to the mobile terminal SDK.

the product service back-end component is used for receiving a transaction message request sent by the open bank API gateway and recording the processing state of the business process in a cache according to the transaction message request; obtaining user identity information from the user element information cached in Redis, and performing anti-unauthorized comparison on the obtained user identity information and the transaction identity information in the transaction message request; after the comparison is passed, processing the corresponding transaction; pushing related information of the transaction to a risk control platform; receiving a transaction behavior analysis result fed back by the risk control platform, generating a response message, and returning the response message to the open bank API gateway;

and the risk control platform is used for receiving the related information of the transaction pushed by the product service back-end component, performing transaction behavior analysis according to the related information of the transaction, determining a transaction behavior analysis result and feeding back the transaction behavior analysis result to the product service back-end component.

The embodiment of the invention also provides an API service security control method of an open bank, which is used for avoiding user data leakage and reducing fund loss, and comprises the following steps:

the mobile terminal SDK receives user identification information sent by an application program and collects application program use information; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of a cooperative mechanism service end for identity identification authentication;

the cooperation mechanism server receives the communication message sent by the mobile terminal SDK, and performs identity identification authentication on the application program according to the communication message; after the identity recognition and authentication are successful, converting the communication message to obtain a token application request message, and sending the token application request message to the open bank API gateway;

the open bank API gateway receives a token application request message sent by the cooperative mechanism server, generates an access token according to the token application request message, and sends the access token to an open bank background system;

the open bank background system receives the access token, carries out risk assessment and sends an assessment result to the open bank API gateway;

and the open bank API gateway returns the evaluation result fed back by the open bank background system to the mobile terminal SDK: an entry address, an access token, and a key for the product;

the mobile terminal SDK enters an entry address of a product returned by the open bank API gateway, generates an encrypted transaction message by using the access token and the secret key, and sends the encrypted transaction message to the open bank API gateway;

the open bank API gateway receives an encrypted transaction message sent by the mobile terminal SDK, and sends a transaction message request to an open bank background system according to the encrypted transaction message;

the open bank background system receives the transaction message request, performs anti-unauthorized verification and transaction behavior analysis according to the transaction message request to obtain a response message, and sends the response message to the open bank API gateway;

and the open bank API gateway receives a response message returned by the open bank background system, determines a transaction response result according to the response message, and sends the transaction response result to the mobile terminal SDK.

In a specific embodiment, the cooperation mechanism server receives the communication message sent by the mobile terminal SDK, and performs identity identification authentication on the application program according to the communication message; after the identity recognition and authentication are successful, the communication message is converted to obtain a token application request message, and the token application request message is sent to an API gateway of the open bank, wherein the method comprises the following steps:

the cooperation mechanism server receives the communication message sent by the mobile terminal SDK, verifies whether the application program is counterfeit according to the communication message, and if the verification result is non-counterfeit, the identity recognition authentication is determined to be successful;

In a specific embodiment, the mobile terminal SDK receives user identification information sent by an application program and collects application program use information; obtaining a communication message according to the user identification information and the application program use information, sending the communication message to an SDK authentication service interface of a cooperative mechanism service end, and performing identity identification authentication, wherein the identity identification authentication comprises the following steps:

when the mobile terminal SDK is initialized, the mobile terminal SDK receives user identification information sent by an application program and collects application program use information;

and obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of a service end of the cooperation mechanism for identity identification authentication.

In a specific embodiment, the method for receiving a token application request message sent by a service end of a cooperative mechanism by an open bank API gateway, generating an access token according to the token application request message, and sending the access token to an open bank background system includes:

when a mobile terminal SDK is initialized, an open bank API gateway receives a token application request message sent by a cooperative mechanism server terminal, and performs authority verification according to the token application request message;

and initiating a risk evaluation request to a risk control platform of the open bank background system according to the information cached in the Redis.

In a specific embodiment, the receiving, by the open bank background system, the access token, performing risk assessment, and sending an assessment result to the open bank API gateway includes:

the product service back-end component receives the access token sent by the API gateway of the open bank, identifies the access token and obtains user element information and main transaction account information of the user; returning the user element information and the main transaction account information of the user to the open bank API gateway;

a risk control platform receives a risk evaluation request initiated by the API gateway of the open bank, and determines application program use information and user element information according to the risk evaluation request; and performing risk assessment by using the application program use information and the user element information, determining an assessment result, and feeding the assessment result back to the API gateway of the open bank.

In a specific embodiment, the open bank API gateway returns an evaluation result fed back by the open bank background system to the mobile terminal SDK: an entry address, an access token and a key for a product, comprising:

when the mobile terminal SDK is initialized, the open bank API gateway receives an evaluation result fed back by the risk control platform;

In a specific embodiment, the mobile terminal SDK enters an entry address of a product returned by the open bank API gateway, generates an encrypted transaction message by using the access token and the key, and sends the encrypted transaction message to the open bank API gateway, including:

when the mobile terminal SDK is in page mode transaction, the mobile terminal SDK opens a webpage view control and jumps to the entry address of the product;

and assembling the access token into a transaction message, encrypting the transaction message by using the secret key to generate an encrypted transaction message, and sending the encrypted transaction message to the API gateway of the open bank.

In a specific embodiment, the method for sending the transaction message request to the open bank background system by the open bank API gateway receiving the encrypted transaction message sent by the mobile terminal SDK includes:

when the mobile terminal SDK page mode is transacted, receiving an encrypted transaction message sent by the mobile terminal SDK, and decrypting the encrypted transaction message;

and carrying out token verification on the decrypted transaction message, and sending a transaction message request to a product service back-end component of the open bank background system after the verification is passed.

In a specific embodiment, the method for receiving the transaction message request by the open bank background system, performing anti-unauthorized verification and transaction behavior analysis according to the transaction message request to obtain a response message, and sending the response message to the open bank API gateway includes:

a product service back-end component receives a transaction message request sent by the open bank API gateway, and records the processing state of a business process in a cache according to the transaction message request; obtaining user identity information from the user element information cached in Redis, and performing anti-unauthorized comparison on the obtained user identity information and the transaction identity information in the transaction message request; after the comparison is passed, processing the corresponding transaction; pushing related information of the transaction to a risk control platform;

the risk control platform receives the relevant information of the transaction pushed by the product service back-end component, performs transaction behavior analysis according to the relevant information of the transaction, determines a transaction behavior analysis result and feeds the transaction behavior analysis result back to the product service back-end component;

and the product service back-end component receives the transaction behavior analysis result fed back by the risk control platform, generates a response message and returns the response message to the open bank API gateway.

The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the processor executes the computer program, the API service security control method of the open bank is realized.

An embodiment of the present invention also provides a computer-readable storage medium, where a computer program for executing the API service security control method for an open bank is stored in the computer-readable storage medium.

In the embodiment of the invention, the mobile terminal SDK is arranged to receive the user identification information sent by the application program and collect the use information of the application program; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of a service end of the cooperation mechanism for identity identification authentication; entering an entry address of a product returned by the API gateway of the open bank, generating an encrypted transaction message by using the access token and the secret key, and sending the encrypted transaction message to the API gateway of the open bank; setting a cooperative mechanism server, receiving a communication message sent by a mobile terminal SDK, and performing identity identification authentication on an application program according to the communication message; after the identity identification authentication is successful, converting the communication message to obtain a token application request message, and sending the token application request message to the open bank API gateway; the method comprises the steps that an open bank API gateway is arranged and used for receiving a token application request message sent by a cooperative mechanism server side, generating an access token according to the token application request message and sending the access token to an open bank background system; and returning to the mobile terminal SDK according to the evaluation result fed back by the open bank background system: an entry address, an access token, and a key for the product; receiving an encrypted transaction message sent by a mobile terminal SDK, and sending a transaction message request to an open bank background system according to the encrypted transaction message; receiving a response message returned by the open bank background system, determining a transaction response result according to the response message, and sending the transaction response result to the mobile terminal SDK; setting an open bank background system, receiving the access token, performing risk assessment, and sending an assessment result to an open bank API gateway; receiving a transaction message request, performing anti-unauthorized verification and transaction behavior analysis according to the transaction message request to obtain a response message, and sending the response message to the open bank API gateway. The access token is used for carrying out business process association, a Session (time domain) -like management mechanism is realized, the existence of horizontal override and vertical override is avoided, and serious loopholes such as malicious skipping of a business verification step are avoided, so that user data leakage is avoided, and the occurrence of capital loss is reduced.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a schematic structural diagram of an API service security control system of an open bank in an embodiment of the present invention.

Fig. 2 is a schematic diagram illustrating an SDK initialization control flow of the mobile terminal according to an embodiment of the present invention.

Fig. 3 is a diagram illustrating a normal transaction control flow of the mobile SDK page mode in an embodiment of the present invention.

FIG. 4 is a schematic diagram of a risk control mechanism in an embodiment of the present invention.

Fig. 5 is a schematic diagram of an API service security control method for an open bank in an embodiment of the present invention.

Fig. 6 is a schematic diagram illustrating an implementation process of step 502 in an embodiment of the present invention.

Fig. 7 is a schematic diagram of an implementation process of step 503 in the embodiment of the present invention.

FIG. 8 is a diagram illustrating an implementation of step 504 in an embodiment of the present invention.

Fig. 9 is a schematic diagram of the implementation process of step 505 in the embodiment of the present invention.

FIG. 10 is a diagram illustrating an implementation of step 506 in an embodiment of the present invention.

Fig. 11 is a schematic diagram illustrating an implementation process of step 507 in the embodiment of the present invention.

FIG. 12 is a diagram illustrating an implementation of step 508 in an embodiment of the present invention.

Fig. 13 is a schematic diagram of an electronic device for API service security control of open bank in an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

In order to facilitate understanding of the API service security control system and method for open banks provided in the embodiments of the present invention, the terms of art related in the embodiments of the present invention are explained as follows:

opening a bank: translated from Open Banking in english, proposed in the uk, originated and popularized as an exploration of data sharing and Open data of the Banking industry in the uk and the european union, and is a secure way for providers to access the financial information of customers using Open API technology. On one hand, the customer can know the own account in more detail; on the other hand, the customer may enjoy better financial services through a third party provider. The open bank platform is used as an open financial service platform, user experience is used as guidance, an ecological scene is used as a touch point, the core capacity of a financial institution is used as support, and the open bank platform is built and shared with main bodies such as clients, employees, suppliers and technology developers by means of modern technologies, so that first-class financial service is provided for the clients.

API: application programming interface is a set of predefined functions through which developers can conveniently access related services without paying attention to the design and implementation of the services.

And (3) SDK: software development kit, an application software development tool package is a development tool set used when an application program is established based on a specific software package, a framework hardware platform operating system and the like.

Interface mode: the user designs and develops the functional interface according to the business process and the implementation requirement, and the design style and the specific product service requirement of the network application of the cooperation mechanism are met.

Page mode: the user does not need to develop a function interface, the commercial bank develops and designs the function interface for the user to use, the transaction process of the user is completed at the bank side, and the bank application software development kit is embedded and built in the application end in the mode, so that the quick access can be realized.

The application method comprises the following steps: a mechanism to invoke a commercial banking application program interface.

Data of class C3: the technical specification for protecting personal financial information (JRT 0171-2020) specifies that the sensitivity of personal financial information is divided into three levels of C3, C2 and Cl from high to low according to the influence and harm caused by unauthorized viewing or unauthorized change of the information. The C3 category information is mainly user authentication information. Once unauthorized viewing or unauthorized alteration is performed on the information, serious damage is caused to the information safety and property safety of the personal financial information subject.

Open bank application program interface service: the financial service mode realizes internal and external interconnection by relying on the API technology. The commercial bank provides an application program interface for interconnection for the partner, outputs the self financial service capability and the information technology capability, and provides beneficial supplement for increasing the financial ecological viscosity. The value creation of the open bank is as follows: the construction of the safety capability of the open bank in a special line mode can be replaced, so that abundant financial products can be output really; all financial service tentacles can reach and simultaneously fully save the access cost. Can better deposit customer resources and provide data support for digital transformation. The financial industry is a strongly supervised industry, relates to industries with extremely high business sensitive data, is a highly information-dependent industry, and is also an industry with extremely severe information safety risk situations.

An embodiment of the present invention provides an API service security control system for an open bank, which is used to avoid user data leakage and reduce the occurrence of capital loss, and the system is shown in fig. 1 and includes:

the mobile terminal SDK101 is used for receiving the user identification information sent by the application program and collecting the application program use information; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of the cooperation mechanism service terminal 102 for identity identification authentication; entering an entry address of a product returned by the open bank API gateway 103, generating an encrypted transaction message by using the access token and the secret key, and sending the encrypted transaction message to the open bank API gateway 103;

the cooperation mechanism server 102 is used for receiving the communication message sent by the mobile terminal SDK101 and performing identity identification and authentication on the application program according to the communication message; after the identity identification authentication is successful, converting the communication message to obtain a token application request message, and sending the token application request message to the open bank API gateway 103;

the open bank API gateway 103 is configured to receive a token application request message sent by the partner mechanism server 102, generate an access token according to the token application request message, and send the access token to the open bank background system 104; and returning to the mobile terminal SDK101 according to the evaluation result fed back by the open bank background system 104: an entry address, an access token, and a key for the product; receiving an encrypted transaction message sent by the mobile terminal SDK101, and sending a transaction message request to the open bank background system 104 according to the encrypted transaction message; receiving a response message returned by the open bank background system 104, determining a transaction response result according to the response message, and sending the transaction response result to the mobile terminal SDK 101;

the open bank background system 104 is used for receiving the access token, performing risk assessment and sending an assessment result to the open bank API gateway 103; receiving a transaction message request, performing anti-unauthorized verification and transaction behavior analysis according to the transaction message request to obtain a response message, and sending the response message to the open bank API gateway 103.

Therefore, in the embodiment of the invention, the mobile terminal SDK101 is arranged to receive the user identification information sent by the application program and collect the application program use information; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of the cooperation mechanism service terminal 102 for identity identification authentication; entering an entry address of a product returned by the open bank API gateway 103, generating an encrypted transaction message by using the access token and the secret key, and sending the encrypted transaction message to the open bank API gateway 103; a cooperation mechanism server 102 is arranged, receives a communication message sent by a mobile terminal SDK101, and performs identity identification authentication on an application program according to the communication message; after the identity identification authentication is successful, converting the communication message to obtain a token application request message, and sending the token application request message to the open bank API gateway 103; the method comprises the steps that an open bank API gateway 103 is arranged and used for receiving a token application request message sent by a cooperative mechanism server 102, generating an access token according to the token application request message and sending the access token to an open bank background system 104; and returning to the mobile terminal SDK101 according to the evaluation result fed back by the open bank background system 104: an entry address, an access token, and a key for the product; receiving an encrypted transaction message sent by the mobile terminal SDK101, and sending a transaction message request to the open bank background system 104 according to the encrypted transaction message; receiving a response message returned by the open bank background system 104, determining a transaction response result according to the response message, and sending the transaction response result to the mobile terminal SDK 101; setting an open bank background system 104, receiving the access token, performing risk assessment, and sending an assessment result to an open bank API gateway 103; receiving a transaction message request, performing anti-unauthorized verification and transaction behavior analysis according to the transaction message request to obtain a response message, and sending the response message to the open bank API gateway 103. The access token is used for carrying out business process association, a Session (time domain) -like management mechanism is realized, the existence of horizontal override and vertical override is avoided, and serious loopholes such as malicious skipping of a business verification step are avoided, so that user data leakage is avoided, and the occurrence of capital loss is reduced.

In a specific embodiment, since the life cycle of the API service of the open bank is divided into two stages, namely, SDK initialization and mobile terminal SDK101 page mode transaction, in specific implementation, the mobile terminal SDK101 is specifically configured to:

when the mobile terminal SDK101 is initialized, receiving user identification information sent by an application program APP, and collecting application program use information; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of the cooperation mechanism service terminal 102 for identity identification authentication;

when the mobile terminal SDK101 is transacted in a page mode, opening a webpage view Webview control, and jumping to an entry address of a product; and assembling the access token into a transaction message, encrypting the transaction message by using the secret key to generate an encrypted transaction message, and sending the encrypted transaction message to the open bank API gateway 103.

Receiving user identification information sent by an application program, acquiring application program use information, providing a product name and an access scene which are expected to be used by a mobile terminal to an SDK, and providing related information for identifying a current login user of an APP (application program) to the SDK, such as Cookie (data stored on a local terminal of the user), Session ID and the like; the APP calls the SDK, and the SDK collects application program use information, including: the device information, the APP information and the running environment detection information of the mobile terminal.

In specific implementation, the collaboration service end 102 is specifically configured to:

when the mobile terminal SDK101 is initialized, receiving a communication message sent by the mobile terminal SDK101, verifying whether an application program is a counterfeit according to the communication message, and if the verification result is a non-counterfeit, determining that identity identification authentication is successful;

the user identity information is converted into the identity information of the open bank system, the identity information of the open bank system is used for replacing the user identity information in the communication message to obtain a token application request message, and the token application request message is sent to the open bank API gateway 103.

Correspondingly, when the mobile terminal SDK101 is initialized, the bank API gateway 103 is opened, and specifically configured to:

receiving a token application request message sent by the cooperative mechanism server 102, and performing permission verification according to the token application request message;

after the permission verification is passed, generating an access token, and sending the access token to a product service back-end component of the open bank background system 104;

receiving user element information and main transaction account information returned by a product service back-end component, caching the user element information and the main transaction account information into Redis by taking an access token as a key and taking the user element information and the main transaction account information as values;

initiating a risk evaluation request to a risk control platform of the open bank background system 104 according to the information cached in Redis, and receiving an evaluation result fed back by the risk control platform;

determining whether to approve the access of the mobile terminal SDK101 according to the evaluation result fed back by the risk control platform;

when the access of the mobile terminal SDK101 is approved, the access is returned to the mobile terminal SDK 101: the entry address of the product, the access token and the key.

The entry address of the product refers to an H5(HTML 5) access address.

Further, when the mobile terminal SDK101 is initialized, the bank background system 104 is opened, which includes:

the product service back-end component is used for receiving the access token sent by the open bank API gateway 103, identifying the access token and obtaining user element information and main transaction account information of the user; returning the user element information and the main transaction account information of the user to the open bank API gateway 103;

the risk control platform is used for receiving a risk evaluation request initiated by the open bank API gateway 103 and determining application program use information and user element information according to the risk evaluation request; and performing risk assessment by using the application use information and the user element information, determining an assessment result, and feeding the assessment result back to the open bank API gateway 103.

After the initialization of the mobile terminal SDK101 is finished, the page mode transaction of the mobile terminal SDK101 can be carried out, and at the moment, the H5 in the mobile terminal SDK101 applies a triggered Javascript event to call a Javascript Bridge component in the Webview control; and assembling the access token into a message, performing basic encryption and signature adding processing, and sending the processed access token to the open bank API gateway 103.

Correspondingly, the open bank API gateway 103 is specifically configured to:

receiving an encrypted transaction message sent by the mobile terminal SDK101, and decrypting the encrypted transaction message;

carrying out token verification on the decrypted transaction message, and sending a transaction message request to a product service back-end component of the open bank background system 104 after the verification is passed;

and receiving a response message returned by the open bank background system 104, determining a transaction response result according to the response message, and sending the transaction response result to the mobile terminal SDK 101.

At this time, the product service back-end component in the open bank background system 104 is configured to receive a transaction message request sent by the open bank API gateway 103, and record a processing state of the service flow in the cache according to the transaction message request; obtaining user identity information from the user element information cached in Redis, and performing anti-unauthorized comparison on the obtained user identity information and the transaction identity information in the transaction message request; after the comparison is passed, processing the corresponding transaction; pushing related information of the transaction to a risk control platform; receiving a transaction behavior analysis result fed back by the risk control platform, generating a response message, and returning the response message to the open bank API gateway 103;

and the risk control platform in the open bank background system 104 is configured to receive the relevant information of the transaction pushed by the product service back-end component, perform transaction behavior analysis according to the relevant information of the transaction, determine a transaction behavior analysis result, and feed the transaction behavior analysis result back to the product service back-end component.

A specific example is given below to illustrate how embodiments of the present invention perform API business security control for open banks.

In terms of network definition, an SDK is generally a collection of software engineers that are used to build application software development tools for a particular software package, software framework, hardware platform, operating system, and the like. Generally speaking, the SDK is a tool kit capable of realizing functions of software products, some functional SDKs can be operated as products currently, and users of the SDK do not need to develop each function of the products, so that the cost for realizing the functions of the products can be reduced, and the development efficiency can be improved. The sharing of the third-party data and services is realized through the SDK technology. In specific application, the SDK is a tool better blended into a mobile scene, for example, a bank cooperates with a social platform B, a wants to embed part of services on the platform B, and can integrate the services into an App of the platform B through the SDK, so that the platform B can directly call the services of the platform a. An API is a capability or specification, and in general, an SDK may contain multiple APIs.

The business bank provides the application program interface service for the application party and the user through an API direct connection or an SDK indirect connection mode, and the external output of the business bank service is realized. The open platform outputs service to the outside, and provides the following two access modes for users:

interface mode (I). The user designs and develops the functional interface according to the business process and the implementation requirement of the bank, and the design style and the specific product service requirement of the network application of the cooperation mechanism are met.

And (II) a page mode. The cooperation mechanism does not need to develop a functional interface, the functional interface is developed and designed by a bank for a client to use, the transaction process of the client is completed at the bank side, a bank application software development kit is embedded and built in an application end in the mode, a message is encrypted and decrypted, and controls with higher threshold requirements such as a GPS (global positioning system), a camera and face recognition are called, so that the purpose of quick access is achieved.

The embodiment applies the API service security control system of the open bank provided in the above embodiment to perform network security control of the open bank C-side user system. The general idea is as follows: the cooperative organization integrates the special financial products of the 'page mode' of the bank into the business scene of the cooperative organization by integrating the SDK issued by the open bank in the APP of the cooperative organization. The method realizes the user identity transmission between the cooperation mechanism and the bank system in a mode that the server exchanges the user identity with the server, realizes the C-end user cross authorization of the cooperation mechanism, and improves the safety of the system. The service process is associated in a token access mode, a session-like management mechanism is realized, and serious loopholes such as horizontal override, vertical override, malicious skipping of a service verification step and the like are effectively solved, so that the occurrence of events of user data leakage or capital loss is caused. The mobile terminal SDK collects the equipment information and the SDK running environment information and accesses the risk control platform, so that more decision data sources are provided for risk control and channel anti-fraud, and the overall safety level of the platform is improved. And the SDK end solves the problem that the existing security protection of the open bank can not realize the independent authorization management of the mobile end through the mode of collecting the equipment information. And flexible sensitive information protection mechanisms such as a safe soft keyboard are used for ensuring that the input of C3 sensitive information is completed at the bank side, so that a financial data safety closed-loop system is improved.

Specifically, since the page mode related to this specific example is implemented based on the mobile terminal SDK, the open bank API service life cycle is divided into two flows of SDK initialization and normal transaction, and the specific design is shown in fig. 2 and fig. 3.

The SDK at the mobile terminal provides basic message encryption and signature functions and controls the whole session process through the access token. The overall flow may be described as:

at the mobile terminal SDK initialization stage, the App transmits information for identifying own users to the SDK, and the SDK simultaneously assembles device App application information, hardware information and App running environment information collected from mobile phone equipment into a communication message and sends the communication message to an SDK authentication service interface of a cooperation mechanism so as to apply for opening an access token of a bank API;

the cooperation mechanism needs to detect whether the App is a counterfeit App, authenticate the identity identification information sent by the cooperation mechanism, and convert the own user system into the identity information of the bank system, such as an identity card number, a mobile phone number, a bank card number and the like, according to a mode agreed with the bank (the link can be skipped for products which do not need to call the user system). Then, a message is assembled, and a service application access token of an API gateway of the open bank is called through the SDK of the service terminal;

the risk control platform uses a rule engine, carries out risk identification by using strong risk data in a bank, generates a negative observation list at the same time, and blocks high-risk application access token transactions in time. And after passing the authentication, returning an access token of the mobile terminal, a pair of keys for encrypting and signing and an entry URL address of the product.

And after the mobile terminal SDK receives the final response message, the mobile terminal SDK calls Webview to directly pull up the H5 page. And in the normal transaction stage of the SDK at the mobile terminal, only the communication with the API gateway of the open bank is needed. The basic service of the mobile terminal SDK ensures the safety of the communication message by using the obtained access token and the negotiated process key.

When risk identification is performed, some preset wind control rules are generally applied, as shown in table 1:

TABLE 1

The specific example is applied to a page mode of SDK indirect connection, relates to the field of personal finance sensitive information protection in open banking, and provides a scheme for authenticating partner identity (B end) and cross authorization to a terminal user (C end) facing the SDK, and design and implementation of an end-to-end protection mechanism for C3 sensitive information data by using a safe soft keyboard in a two-factor authentication process, so that the safety construction of a general open banking system can be met.

The specific example provides an efficient identity authentication mechanism, and interconnection and intercommunication between a user system of a cooperation mechanism and a bank user system are realized. For example, important business and bank parameter transmission behaviors (such as customer identity identification) are exchanged by the server to obtain identifiers of de-identification, randomness and Token-based on an interface mode, and the identifier is used for achieving information closed loop of the mobile terminal SDK, so that risks of leakage, stealing and the like of sensitive information of customers are avoided. In the design of bank products, modes such as double factors and the like can be adopted for important transactions, secondary authentication of a C-end user is achieved, and the bank can practically protect the safety of user funds and user data.

The specific example also provides a mode for protecting C3 sensitive information such as user payment, login, password inquiry and the like in the authentication of double factors or multiple factors, the mobile terminal SDK provides functions of preventing terminal screen recording and screen capturing, and an H5 secure soft keyboard based on a white box key is deployed at the open bank service terminal. The method guarantees that the C3 sensitive information cannot be cached by the terminal in the H5 secure soft keyboard entry process, but can only be restored in the API gateway, and then the C3 sensitive information is sent to the product service component by adopting an end-to-end encryption mechanism, thereby practically guaranteeing that the C3 sensitive information cannot be intercepted and leaked in the communication message between the H5 application of the terminal and the open bank platform system.

This embodiment also provides a mechanism for acquiring device information through the SDK, and in the SDK initialization and transaction processes, the mechanism acquires the current mobile phone device information: such as Mac address, current IP address of the mobile phone, and packageName of android; the method comprises the steps of enabling testBundleID or bundleID of ios, Mobile phone Equipment identification code (MEID Mobile Equipment Identifier) or unique identification code of Equipment, and meanwhile collecting whether an APP running environment and an operating system are root or not.

Further, the embodiment also provides a risk control mechanism based on a terminal in the field of open banks. As shown in fig. 4, by combining the point burying technology, all transaction data and user behaviors are brought into a data warehouse, and by using big data, stream-type computer learning and artificial intelligence, and by means of a data analysis engine, data is cleaned, screened and processed, a negative observation list and a wind control strategy forming mechanism are automatically generated. Terminal equipment identification information, application information, physical address and frequency of transaction occurrence, user identity information and products of an accessed open bank of a C-end user from a cooperative mechanism are integrated to carry out terminal security scoring, and risk prevention and control are accurately and effectively carried out through risk modeling and a rule engine. On the premise of respecting the privacy of client data, the real-time safety monitoring of daily transactions is realized, and early warning and real-time blocking of malicious and high-risk transactions suspected of fraud are realized.

Thus, the advantages of this embodiment are as follows:

the page mode is cooperated with a product assembly at the rear end through a cooperation mechanism, an API gateway and the product assembly at the rear end in three parties, so that products of an open bank are integrated into a huge user system of the cooperation mechanism, and the user experience is greatly improved. Through the mode of cross authorization with the cooperation institution, the mobile client is obtained, the output products can be guided to the C terminal, the bank user group is improved, and a large amount of transaction amount is brought.

Through the page mode, the bank can provide businesses which can be developed only by using professional controls such as face recognition and OCR recognition, and the threshold of a cooperative institution and the bank for providing financial related services in a cooperative mode is lowered.

The collection of the equipment information in the page mode can enable the API of the bank to be accessed to a powerful wind control system of the bank, and reduces the risk caused by launching new-form business.

By using the H5 safety soft keyboard, C3 sensitive data can be protected, and the supervision requirement is met.

The implementation of the above specific application is only an example, and the rest of the embodiments are not described in detail.

Based on the same inventive concept, an embodiment of the present invention further provides an API service security control method for an open bank, where the principle of the problem solved by the API service security control method for an open bank is similar to that of the API service security control system for an open bank, so that the implementation of the API service security control method for an open bank may refer to the implementation of the API service security control system for an open bank, and repeated parts are not repeated, as shown in fig. 5, and specifically includes:

step 501: the mobile terminal SDK receives user identification information sent by an application program and collects application program use information; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of a service end of the cooperation mechanism for identity identification authentication;

step 502: the cooperation mechanism server receives the communication message sent by the mobile terminal SDK, and performs identity identification authentication on the application program according to the communication message; after the identity identification authentication is successful, converting the communication message to obtain a token application request message, and sending the token application request message to the open bank API gateway;

step 503: the open bank API gateway receives a token application request message sent by a cooperative mechanism server, generates an access token according to the token application request message, and sends the access token to an open bank background system;

step 504: the open bank background system receives the access token, carries out risk assessment and sends an assessment result to the open bank API gateway;

step 505: and the open bank API gateway returns the evaluation result fed back by the open bank background system to the mobile terminal SDK: an entry address, an access token, and a key for the product;

step 506: the mobile terminal SDK enters an entry address of a product returned by the open bank API gateway, generates an encrypted transaction message by using the access token and the secret key, and sends the encrypted transaction message to the open bank API gateway;

step 507: the open bank API gateway receives an encrypted transaction message sent by the mobile terminal SDK, and sends a transaction message request to the open bank background system according to the encrypted transaction message;

step 508: the open bank background system receives the transaction message request, performs anti-unauthorized verification and transaction behavior analysis according to the transaction message request to obtain a response message, and sends the response message to the open bank API gateway;

step 509: and the open bank API gateway receives a response message returned by the open bank background system, determines a transaction response result according to the response message, and sends the transaction response result to the mobile terminal SDK.

In a specific embodiment, when step 501 is implemented specifically, the method includes:

when the mobile terminal SDK is initialized, the mobile terminal SDK receives user identification information sent by an application program and collects application program use information; wherein the application usage information includes: the device information, the APP information and the running environment detection information of the mobile terminal.

In specific implementation, the specific implementation process of step 502, as shown in fig. 6, includes:

step 601: the cooperation mechanism server receives the communication message sent by the mobile terminal SDK, verifies whether the application program is a counterfeit according to the communication message, and if the verification result is a non-counterfeit, the identity recognition authentication is determined to be successful;

step 602: after the identity recognition and authentication are successful, determining user identity information according to the communication message;

step 603: and converting the user identity information into the identity information of the open bank system, replacing the user identity information in the communication message by using the identity information of the open bank system to obtain a token application request message, and sending the token application request message to the API gateway of the open bank.

In a specific embodiment, step 503 specifically implements a process, as shown in fig. 7, including:

step 701: when the mobile terminal SDK is initialized, the open bank API gateway receives a token application request message sent by a cooperative mechanism server, and performs authority verification according to the token application request message;

step 702: after the permission verification is passed, generating an access token, and sending the access token to a product service back-end component of the open bank background system;

step 703: receiving user element information and main transaction account information returned by a product service back-end component, caching the user element information and the main transaction account information into Redis by taking an access token as a key and taking the user element information and the main transaction account information as values;

step 704: and initiating a risk evaluation request to a risk control platform of the open bank background system according to the information cached in the Redis.

In a specific embodiment, the implementation process of step 504, as shown in fig. 8, includes:

step 801: the product service back-end component receives the access token sent by the API gateway of the open bank, identifies the access token and obtains user element information and main transaction account information of the user; returning the user element information and the main transaction account information of the user to the open bank API gateway;

step 802: the risk control platform receives a risk evaluation request initiated by an API gateway of an open bank, and determines application program use information and user element information according to the risk evaluation request; and performing risk evaluation by using the application program use information and the user element information, determining an evaluation result, and feeding the evaluation result back to the API gateway of the open bank.

Accordingly, the implementation process of step 505, as shown in fig. 9, includes:

step 901: when the mobile terminal SDK is initialized, the open bank API gateway receives an evaluation result fed back by the risk control platform;

step 902: determining whether to approve the access of the mobile terminal SDK according to the evaluation result fed back by the risk control platform;

step 903: and when the access of the mobile terminal SDK is approved, returning to the mobile terminal SDK: the entry address of the product, the access token and the key.

When the mobile terminal SDK page mode transaction is performed, the specific implementation process of step 506, as shown in fig. 10, includes:

step 1001: the mobile terminal SDK opens a webpage view control and jumps to the entry address of the product;

step 1002: and assembling the access token into a transaction message, encrypting the transaction message by using the secret key to generate an encrypted transaction message, and sending the encrypted transaction message to the API gateway of the open bank.

Further, the implementation process of step 507, as shown in fig. 11, includes:

step 1101: when the mobile terminal SDK page mode is transacted, receiving an encrypted transaction message sent by the mobile terminal SDK, and decrypting the encrypted transaction message;

step 1102: and carrying out token verification on the decrypted transaction message, and sending a transaction message request to a product service back-end component of the open bank background system after the verification is passed.

In specific implementation, the implementation process of step 508 is shown in fig. 12, and includes:

step 1201: the product service back-end component receives a transaction message request sent by the open bank API gateway, and records the processing state of the business process in a cache according to the transaction message request; obtaining user identity information from the user element information cached in Redis, and performing anti-unauthorized comparison on the obtained user identity information and the transaction identity information in the transaction message request; after the comparison is passed, processing the corresponding transaction; pushing related information of the transaction to a risk control platform;

step 1202: the risk control platform receives the relevant information of the transaction pushed by the product service back-end component, performs transaction behavior analysis according to the relevant information of the transaction, determines a transaction behavior analysis result and feeds the transaction behavior analysis result back to the product service back-end component;

step 1203: and the product service back-end component receives the transaction behavior analysis result fed back by the risk control platform, generates a response message and returns the response message to the open bank API gateway.

Fig. 13 is a schematic block diagram of a system configuration of an electronic apparatus 1300 according to an embodiment of the present application. As shown in fig. 13, the electronic device 1300 may include a central processor 1301 and a memory 1302; the memory 1302 is coupled to the central processor 1301. Notably, this fig. 13 is exemplary; other types of structures may also be used in addition to or in place of the structure to implement telecommunications or other functions.

In one embodiment, the functions of the API business security control system of the open bank may be integrated into the central processor 1301. The central processor 1301 may be configured to control:

the mobile terminal SDK is used for receiving the user identification information sent by the application program and collecting the application program use information; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of a service end of the cooperation mechanism for identity identification authentication; entering an entry address of a product returned by the API gateway of the open bank, generating an encrypted transaction message by using the access token and the secret key, and sending the encrypted transaction message to the API gateway of the open bank;

the cooperation mechanism server is used for receiving the communication message sent by the mobile terminal SDK and carrying out identity identification authentication on the application program according to the communication message; after the identity identification authentication is successful, converting the communication message to obtain a token application request message, and sending the token application request message to the open bank API gateway;

the open bank API gateway is used for receiving a token application request message sent by a cooperative mechanism server, generating an access token according to the token application request message and sending the access token to an open bank background system; and returning to the mobile terminal SDK according to the evaluation result fed back by the open bank background system: an entry address, an access token, and a key for the product; receiving an encrypted transaction message sent by a mobile terminal SDK, and sending a transaction message request to an open bank background system according to the encrypted transaction message; receiving a response message returned by the open bank background system, determining a transaction response result according to the response message, and sending the transaction response result to the mobile terminal SDK;

the open bank background system is used for receiving the access token, carrying out risk assessment and sending an assessment result to the open bank API gateway; receiving a transaction message request, performing anti-unauthorized verification and transaction behavior analysis according to the transaction message request to obtain a response message, and sending the response message to the open bank API gateway.

As can be seen from the above description, in the electronic device provided in the embodiment of the present application, the mobile terminal SDK is set, the user identification information sent by the application program is received, and the application program use information is collected; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of a service end of the cooperation mechanism for identity identification authentication; entering an entry address of a product returned by the API gateway of the open bank, generating an encrypted transaction message by using the access token and the secret key, and sending the encrypted transaction message to the API gateway of the open bank; setting a cooperative mechanism server, receiving a communication message sent by a mobile terminal SDK, and performing identity identification authentication on an application program according to the communication message; after the identity identification authentication is successful, converting the communication message to obtain a token application request message, and sending the token application request message to the open bank API gateway; the method comprises the steps that an open bank API gateway is arranged and used for receiving a token application request message sent by a cooperative mechanism server side, generating an access token according to the token application request message and sending the access token to an open bank background system; and returning to the mobile terminal SDK according to the evaluation result fed back by the open bank background system: an entry address, an access token, and a key for the product; receiving an encrypted transaction message sent by a mobile terminal SDK, and sending a transaction message request to an open bank background system according to the encrypted transaction message; receiving a response message returned by the open bank background system, determining a transaction response result according to the response message, and sending the transaction response result to the mobile terminal SDK; setting an open bank background system, receiving the access token, performing risk assessment, and sending an assessment result to an open bank API gateway; receiving a transaction message request, performing anti-unauthorized verification and transaction behavior analysis according to the transaction message request to obtain a response message, and sending the response message to the open bank API gateway. The access token is used for carrying out business process association, a Session (time domain) -like management mechanism is realized, the existence of horizontal override and vertical override is avoided, and serious loopholes such as malicious skipping of a business verification step are avoided, so that user data leakage is avoided, and the occurrence of capital loss is reduced.

In another embodiment, the API service security control system of the open bank may be configured separately from the central processor 1301, for example, the API service security control system of the open bank may be configured as a chip connected to the central processor 1301, and the API service security control function of the open bank is implemented by the control of the central processor.

As shown in fig. 13, the electronic device 1300 may further include: a communication module 1303, an input unit 1304, an audio processor 1305, a display 1306, and a power supply 1307. It is worthy to note that electronic device 1300 also need not include all of the components shown in FIG. 13; furthermore, the electronic device 1300 may also include components not shown in fig. 13, which may be referred to in the prior art.

As shown in fig. 13, a central processor 1301, sometimes referred to as a controller or operational control, may include a microprocessor or other processor device and/or logic device, the central processor 1301 receiving input and controlling the operation of the various components of the electronic device 1300.

The memory 1302 may be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processor 1301 may execute the program stored in the memory 1302 to realize information storage or processing, or the like.

The input unit 1304 provides input to the central processor 1301. The input unit 1304 is, for example, a key or a touch input device. The power supply 1307 is used to provide power to the electronic device 1300. The display 1306 is used for displaying display objects such as images and characters. The display may be, for example, an LCD display, but is not limited thereto.

The memory 1302 may be a solid state memory such as Read Only Memory (ROM), Random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes called an EPROM or the like. The memory 1302 may also be some other type of device. Memory 1302 includes buffer memory 1321 (sometimes referred to as a buffer). The memory 1302 may include an application/function storage 1322 for storing application programs and function programs or for executing a flow of operations of the electronic device 1300 by the central processor 1301.

The memory 1302 may also include a data store 1323, the data store 1323 for storing data, such as contacts, digital data, pictures, sounds, and/or any other data used by the electronic device. The driver storage 1324 of the memory 1302 may include various drivers for the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, directory applications, etc.).

The communication module 1303 is a transmitter/receiver 1303 which transmits and receives signals via an antenna 1308. A communication module (transmitter/receiver) 1303 is coupled to the central processor 1301 to supply an input signal and receive an output signal, which may be the same as in the case of a conventional mobile communication terminal.

Based on different communication technologies, in the same electronic device, a plurality of communication modules 1303 may be provided, such as a cellular network module, a bluetooth module, and/or a wireless local area network module. The communication module (transmitter/receiver) 1303 is also coupled to a speaker 1309 and a microphone 1310 via an audio processor 1305 to provide audio output via the speaker 1309 and receive audio input from the microphone 1310 to implement general telecommunications functions. The audio processor 1305 may include any suitable buffers, decoders, amplifiers and so forth. Additionally, an audio processor 1305 is also coupled to the central processor 1301, enabling recording of sound locally through a microphone 1310, and enabling playback of locally stored sound through a speaker 1309.

An embodiment of the present invention further provides a computer-readable storage medium capable of implementing all the steps in the API service security control method for an open bank in the foregoing embodiments, where the computer-readable storage medium stores a computer program, and the computer program implements all the steps of the API service security control method for an open bank in the foregoing embodiments when executed by a processor, for example, the processor implements the following steps when executing the computer program:

the mobile terminal SDK receives user identification information sent by an application program and collects application program use information; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of a service end of the cooperation mechanism for identity identification authentication;

the cooperation mechanism server receives the communication message sent by the mobile terminal SDK, and performs identity identification authentication on the application program according to the communication message; after the identity identification authentication is successful, converting the communication message to obtain a token application request message, and sending the token application request message to the open bank API gateway;

the open bank API gateway receives a token application request message sent by a cooperative mechanism server, generates an access token according to the token application request message, and sends the access token to an open bank background system;

the open bank API gateway receives an encrypted transaction message sent by the mobile terminal SDK, and sends a transaction message request to the open bank background system according to the encrypted transaction message;

In summary, the API service security control system and method for an open bank provided in the embodiments of the present invention have the following advantages:

receiving user identification information sent by an application program by setting a mobile terminal SDK, and acquiring application program use information; obtaining a communication message according to the user identification information and the application program use information, and sending the communication message to an SDK authentication service interface of a service end of the cooperation mechanism for identity identification authentication; entering an entry address of a product returned by the API gateway of the open bank, generating an encrypted transaction message by using the access token and the secret key, and sending the encrypted transaction message to the API gateway of the open bank; setting a cooperative mechanism server, receiving a communication message sent by a mobile terminal SDK, and performing identity identification authentication on an application program according to the communication message; after the identity identification authentication is successful, converting the communication message to obtain a token application request message, and sending the token application request message to the open bank API gateway; the method comprises the steps that an open bank API gateway is arranged and used for receiving a token application request message sent by a cooperative mechanism server side, generating an access token according to the token application request message and sending the access token to an open bank background system; and returning to the mobile terminal SDK according to the evaluation result fed back by the open bank background system: an entry address, an access token, and a key for the product; receiving an encrypted transaction message sent by a mobile terminal SDK, and sending a transaction message request to an open bank background system according to the encrypted transaction message; receiving a response message returned by the open bank background system, determining a transaction response result according to the response message, and sending the transaction response result to the mobile terminal SDK; setting an open bank background system, receiving the access token, performing risk assessment, and sending an assessment result to an open bank API gateway; receiving a transaction message request, performing anti-unauthorized verification and transaction behavior analysis according to the transaction message request to obtain a response message, and sending the response message to the open bank API gateway. The access token is used for carrying out business process association, a Session (time domain) -like management mechanism is realized, the existence of horizontal override and vertical override is avoided, and serious loopholes such as malicious skipping of a business verification step are avoided, so that user data leakage is avoided, and the occurrence of capital loss is reduced.

Although the present invention provides method steps as described in the examples or flowcharts, more or fewer steps may be included based on routine or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or client product executes, it may execute sequentially or in parallel (e.g., in the context of parallel processors or multi-threaded processing) according to the embodiments or methods shown in the figures.

As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, apparatus (system) or computer program product. Accordingly, embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment. In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "upper", "lower", and the like, indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience in describing the present invention and simplifying the description, but do not indicate or imply that the referred devices or elements must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention. Unless expressly stated or limited otherwise, the terms "mounted," "connected," and "connected" are intended to be inclusive and mean, for example, that they may be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations. It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict. The present invention is not limited to any single aspect, nor is it limited to any single embodiment, nor is it limited to any combination and/or permutation of these aspects and/or embodiments. Moreover, each aspect and/or embodiment of the present invention may be utilized alone or in combination with one or more other aspects and/or embodiments thereof.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.

Claims

1. An API service security control system for an open bank, comprising:

2. The API service security control system of an open bank as claimed in claim 1, wherein said partner institution server is specifically configured to:

3. The API service security control system of open bank as claimed in claim 1, wherein the mobile terminal SDK is specifically configured to:

4. The API service security control system of the open bank as claimed in claim 3, wherein when the mobile terminal SDK is initialized, the open bank API gateway is specifically configured to:

5. The API service security control system of open bank of claim 4, wherein said open bank back office system comprises:

6. The API service security control system of open bank as claimed in claim 4, wherein, when the mobile terminal SDK page mode transaction, the open bank API gateway is specifically configured to:

7. The API service security control system of open bank of claim 6, wherein said open bank back office system comprises:

8. An API service security control method for an open bank is characterized by comprising the following steps:

9. The API service security control method for open bank as claimed in claim 8, wherein the partner mechanism server receives the communication packet sent by the mobile SDK, and performs identity authentication on the application program according to the communication packet; after the identity recognition and authentication are successful, the communication message is converted to obtain a token application request message, and the token application request message is sent to an API gateway of the open bank, wherein the method comprises the following steps:

10. The API service security control method of an open bank as claimed in claim 8, wherein the mobile SDK receives user identification information uploaded by the application program, and collects application program usage information; obtaining a communication message according to the user identification information and the application program use information, sending the communication message to an SDK authentication service interface of a cooperative mechanism service end, and performing identity identification authentication, wherein the identity identification authentication comprises the following steps:

11. The API service security control method of an open bank according to claim 10, wherein the open bank API gateway receives a token application request message sent by the partner entity server, generates an access token according to the token application request message, and sends the access token to the open bank background system, and the method includes:

12. The API service security control method of an open bank as claimed in claim 11, wherein the open bank background system receives the access token, performs risk assessment, and sends the assessment result to the open bank API gateway, including:

13. The API service security control method of an open bank as claimed in claim 11, wherein the open bank API gateway returns the evaluation result fed back by the open bank background system to the mobile terminal SDK: an entry address, an access token and a key for a product, comprising:

14. The API service security control method of an open bank as claimed in claim 8, wherein the mobile terminal SDK enters an entry address of a product returned by the open bank API gateway, generates an encrypted transaction message using the access token and the key, and sends the encrypted transaction message to the open bank API gateway, including:

15. The API service security control method of an open bank as claimed in claim 14, wherein the open bank API gateway receives an encrypted transaction message sent by the mobile terminal SDK, and sends a transaction message request to the open bank background system according to the encrypted transaction message, including:

16. The API service security control method of an open bank as claimed in claim 15, wherein the open bank background system receives the transaction message request, performs an anti-unauthorized check and transaction behavior analysis according to the transaction message request to obtain a response message, and sends the response message to the open bank API gateway, including:

17. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 8 to 16 when executing the computer program.

18. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 8 to 16.