CN114239081A - Business certificate processing method, system and electronic equipment - Google Patents
Business certificate processing method, system and electronic equipment Download PDFInfo
- Publication number
- CN114239081A CN114239081A CN202210174251.6A CN202210174251A CN114239081A CN 114239081 A CN114239081 A CN 114239081A CN 202210174251 A CN202210174251 A CN 202210174251A CN 114239081 A CN114239081 A CN 114239081A
- Authority
- CN
- China
- Prior art keywords
- data
- database file
- client
- memory
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Power Engineering (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a service certificate processing method, which comprises the following steps: receiving original certificate information and acquiring a network protocol type; distributing a corresponding processing interface according to the network protocol type, and storing the original certificate information into a corresponding storage space in a first storage; analyzing the original certificate information stored in the first memory according to a preset rule, writing the obtained original data stream into a corresponding data unit in a first database, storing a first database file in a corresponding storage space in the first memory, wherein the first database file comprises operable data and inoperable data; and performing three-level encryption on the operable data according to the authority configuration logic, directly encrypting the inoperable data to obtain a second database file, and storing the second database file into a second memory. The service certificate processing method of the invention makes the authority management hierarchy, thereby avoiding the risk of data leakage.
Description
Technical Field
The invention belongs to the field of data processing, and particularly relates to a service certificate processing method, a service certificate processing system and electronic equipment.
Background
In recent years, the state proposes to improve the level of refinement and intellectualization of hospital management, establish a hierarchical evaluation standard system of hospital intelligent management, and also provide requirements on aspects such as business processing, data checking, process management and the like. Along with the construction of informatization systems, a large number of accounting archives and vouchers have appeared. For management of accounting documents, the authenticity, integrity, security and audit trail requirements are the key and difficult points of the document management work.
Although most hospitals advance the electronization of certificate management, the security of data has a large risk of leakage due to the current imperfect management, disordered information storage and disordered authority.
Disclosure of Invention
In order to solve the above problems in the prior art, the invention provides a service credential processing method, a system and an electronic device. The technical problem to be solved by the invention is realized by the following technical scheme:
a service certificate processing method is applied to a server side and comprises the following steps:
receiving original certificate information and acquiring a network protocol type;
distributing a corresponding processing interface according to the network protocol type, and storing the original certificate information into a corresponding storage space in a first storage;
analyzing the original certificate information stored in the first memory according to a preset rule, writing the obtained original data stream into a corresponding data unit in a first database, and storing a first database file in a corresponding storage space in the first memory, wherein the first database file comprises operable data and inoperable data;
performing three-level encryption on the operable data according to authority configuration logic, directly encrypting the inoperable data to obtain a second database file, and storing the second database file into a second memory;
responding to an access request of a client to judge whether the client has a first memory or a second memory access right, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
if the client side is judged to have the access authority of the first storage according to the MAC address of the client side, whether a gateway address directly connected with the client side is consistent with a preset gateway address or not is judged, if so, a first database file access address is provided in a readable and writable mode, and if not, a second database file access address is provided in a read-only mode and a third-level secret key is sent to the client side; or if the client is judged to have the access authority of the second memory according to the MAC address of the client, judging the consulting level of the second database file according to the password, and sending a corresponding secret key to the client according to the consulting level.
In one embodiment, the encryption of the data according to the permission configuration logic comprises:
dividing the operable data into 4 consulting level data segments, wherein the fourth consulting level data segment is not encrypted, and the first consulting level data segment is encrypted for 3 times;
encrypting the first reference level data segment by using a first secret key to obtain first encrypted data;
merging the second reference level data segment with the first encrypted data, and then encrypting by using a second secret key to obtain second encrypted data;
merging the third reading level data segment with the second encrypted data, and encrypting by using a third secret key to obtain third encrypted data;
combining the fourth reference level data segment with the third encrypted data to obtain an operable data ciphertext;
wherein the second key is different from both the first key and the third key.
In a specific embodiment, when the access times of all client MAC addresses within a preset time period are judged to be greater than a first preset threshold, a new secret key is used to encrypt a first database file to obtain a third database file, and an access address of the third database file and a corresponding secret key are provided and sent to a connected client, so that the client disconnects from a second database when receiving the access address of the third database file and the corresponding secret key;
and deleting the second database file after all the clients stop accessing the second database file.
In a specific embodiment, when it is determined that the number of times of access of the MAC address of the client, which does not have the access right to the first database file and has the access right to the second database file, within the preset time period is greater than a second preset threshold, the client is denied a request for accessing the second database file.
The invention also provides a service certificate processing method, which is applied to the client and comprises the following steps:
sending an access request to a server to acquire a reference authority, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
responding to a first database file access address fed back by a server side, and performing read-write operation on the first database file; or responding to a second database file access address and key information fed back by the server, and performing read-only operation on the second database file, wherein the first database file comprises operable data and inoperable data;
the first database file is obtained by analyzing original certificate information stored in the first memory according to a preset rule and writing an obtained original data stream into a corresponding data unit in a first database, and the second database file is obtained by performing three-level encryption on the operable data and directly encrypting the inoperable data.
In one embodiment, the method comprises the following steps: responding to the second database file access address and the key information fed back by the server, and performing read-only operation on the second database file, wherein the read-only operation comprises the following steps:
obtaining the number of secret keys according to the secret key information to judge the encryption series;
reading the second database file;
if the number of the secret keys is 0, extracting the unencrypted data segment from the second database file for operation;
if the number of the secret keys is 1, after extracting the unencrypted data segment from the second database file, decrypting the rest encrypted data segment, and extracting first-stage decrypted data;
if the number of the secret keys is 2, after extracting the unencrypted data segment from the second database file, carrying out first decryption on the rest encrypted data segment, extracting first-stage decryption data, carrying out second decryption on the rest encrypted data segment after extracting the first-stage decryption data, and extracting second-stage decryption data;
if the number of the secret keys is 3, after extracting the unencrypted data segment from the second database file, carrying out first decryption on the remaining encrypted data segment, extracting first-stage decryption data, carrying out second decryption on the remaining encrypted data segment after extracting the first-stage decryption data, extracting second-stage decryption data, carrying out third decryption on the remaining encrypted data segment after extracting the second-stage decryption data, and extracting third-stage decryption data.
The invention also provides a service voucher processing system, which comprises a server side and a client side;
the server side includes:
the original certificate receiving module is used for receiving original certificate information and acquiring a network protocol type;
the storage processing module is used for distributing a corresponding processing interface according to the network protocol type and storing the original certificate information into a corresponding storage space in a first storage;
the analysis module is used for analyzing the original certificate information stored in the first memory according to a preset rule, writing the obtained original data stream into a corresponding data unit in a first database, and storing a first database file in a corresponding storage space in the first memory, wherein the first database file comprises operable data and inoperable data;
the encryption processing module is used for carrying out three-level encryption on the operable data according to authority configuration logic, directly encrypting the inoperable data to obtain a second database file, and storing the second database file into a second memory;
the authority judging module is used for responding to an access request of a client to judge whether the client has a first memory or a second memory access authority, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
the key distribution module is used for judging whether a gateway address directly connected with the client is consistent with a preset gateway address or not if the client is judged to have the access authority of the first memory according to the MAC address of the client, providing a first database file access address in a read-write mode if the gateway address directly connected with the client is consistent with the preset gateway address, and providing a second database file access address in a read-only mode and sending the third-level keys to the client if the gateway address directly connected with the client is inconsistent with the preset gateway address; or if the client is judged to have the access right of a second memory according to the MAC address of the client, judging the consulting level of a second database file according to the password, and sending a corresponding secret key to the client according to the consulting level;
the client comprises:
the access request module is used for sending an access request to a server to acquire a reference authority, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
the operation module is used for responding to the first database file access address fed back by the server side and performing read-write operation on the first database file; or responding to the access address and the key information of the second database file fed back by the server, and performing read-only operation on the second database file, wherein the first database file comprises operable data and inoperable data.
The invention also provides electronic equipment which comprises a first processor, a second processor, a communication interface, a memory and a communication bus, wherein the first processor, the second processor and the communication interface are used for completing mutual communication by the memory through the communication bus;
a first memory for storing a first computer program;
a second memory for storing a second computer program;
the first processor is used for realizing the method steps of the server side when executing the program stored in the first memory;
and the second processor is used for realizing the method steps of the client when executing the program stored in the second memory.
The invention has the beneficial effects that:
the business voucher processing method firstly integrates and stores business data received by different interfaces to ensure the integrity of original data, secondly analyzes the information of the original voucher to obtain data which can be used for logic operation so as to be convenient to store and process, and then carries out multi-level encryption on the data to make authority management hierarchy, thereby avoiding the risk of data leakage.
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Drawings
Fig. 1 is a schematic flowchart of a service credential processing method applied to a server according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a service credential processing method applied to a client according to an embodiment of the present invention;
fig. 3 is a block diagram of a service credential processing system according to an embodiment of the present invention;
fig. 4 is a block diagram of an electronic device module according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to specific examples, but the embodiments of the present invention are not limited thereto.
Example one
Referring to fig. 1, fig. 1 is a schematic flowchart of a service credential processing method applied to a server according to an embodiment of the present invention, including:
s11, receiving the original certificate information and obtaining the network protocol type;
the original credential information may be, for example, financial transaction related information such as a network reimbursement electronic bill, invoice data, contract data, bank receipt data, and electronic CA credential data received by a hospital system, and since these information sources have wide ways, for example, the contract data may be data transmitted by a provider system, the bank receipt data may be data transmitted by different banks, and these data need to be analyzed by corresponding protocol rules after being transmitted, it is necessary to simultaneously acquire network protocol types adopted in the transmission process, such as TCP/IP, HTTP, FTP, and the like.
S12, distributing corresponding processing interfaces according to the network protocol type, and storing the original certificate information to a corresponding storage space in a first storage;
it should be noted here that, most of the original credential information is in a picture format and a document format, and such files occupy a large amount of storage space and are difficult to perform computer logic operations, so the original credential information is generally sealed as a record credential and is generally not called and viewed by a user and is stored in a special large-capacity memory.
S13, analyzing the original certificate information stored in the first memory according to a preset rule, writing the obtained original data stream into a corresponding data unit in a first database, and storing a first database file in a corresponding storage space in the first memory, wherein the first database file comprises operable data and inoperable data;
since the original certificate information cannot be logically processed, the original certificate information is analyzed to obtain computable data capable of logical operation, and the information which cannot be analyzed is directly used as the non-computable data. The parsing process of this embodiment is to extract a specific text field or a specific numerical field in the original credential information and store the extracted field in a data unit, for example, when the original credential information is a bank receipt file, the specific text field or the specific numerical field such as account number data, amount data, bank information, and transaction date data can be parsed and stored in a preset data unit. The preset rule is set according to actual requirements, and generally, recognition and extraction can be performed through OCR.
Since the parsed data is not encrypted and is still in plaintext, the data is still stored in the first memory for ensuring data security and is not generally called and viewed by the user.
S14, performing three-level encryption on the operable data according to authority configuration logic, directly encrypting the inoperable data to obtain a second database file, and storing the second database file into a second memory;
the authority configuration logic is adjusted according to the condition of each hospital, different consulting authorities are assigned to different roles, and the problem of cross-level consulting is avoided. Considering the complexity of multi-level encryption, three times of encryption is generally suitable. Because data is generally stored in a server, and a user uses a client to access the data in the server, for the case that the data access authority exists, the method for solving the access authority through server configuration not only has certain potential safety hazard, but also is easy to have the condition of right giving disorder. According to the embodiment, the authority is naturally managed in an encryption mode, so that the authority management is clearer, and the safety of data storage is improved.
The operable data is data which can be subjected to logical addition, subtraction and logical comparison, the data is divided into data bytes during analysis, so that the encryption is easy, the inoperable data cannot be subjected to logical splitting, the inoperable data is stored in the form of a whole data block, and the inoperable data can only be subjected to whole encryption in the form of the data block during encryption.
For example, the analyzed contract data includes a contract number, a contract name, a contract amount, a payment method, a payment state, an approval date, an approver, and the like, according to different permissions, for example, a user can only view the contract number and know that there is a contract signing matter, a user B can also view the contract amount and the payment method, and a user C can further view the approval date and the approver, and the permissions of the approver are gradually expanded.
The second database file is generally called and checked by a user, and can be deleted or modified at any time according to the change of the secret key, so that the second database file is stored in a second memory different from the first memory, even if the data in the second memory is deleted, the second database file can still be obtained again from the first memory, and an intruder cannot check the core content of the second database file after encryption because the second memory is opened to the outside.
S15, responding to an access request of a client to judge whether the client has a first memory or a second memory access right, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
in order to ensure the security of data access, the user can further judge only when the authenticated client device inputs a correct password.
S16, if the client is judged to have the access authority of the first memory according to the MAC address of the client, whether the gateway address directly connected with the client is consistent with a preset gateway address or not is judged, if so, the first database file access address is provided in a read-write mode, and if not, the second database file access address is provided in a read-only mode and the third-level secret key is sent to the client; or if the client is judged to have the access authority of the second memory according to the MAC address of the client, judging the consulting level of the second database file according to the password, and sending a corresponding secret key to the client according to the consulting level.
The server side stores the MAC address of the client side with the access authority in advance, namely, only a specific client side can access, because the first database file is generally outward, only the highest authority can be accessed, the highest authority has the read-write authority to the original data, and in order to ensure the security of data, the gateway address directly connected with the client is consistent with the preset gateway address, and since the first database file is not encrypted, a secure access is considered when there is a risk of leakage in forwarding a transmission through a device such as a router, and thus directly connected to the server-side network, that is, even if the MAC address of the client side is judged to have the access right of the first memory, the MAC address can be accessed through the gateway equipment, the first database file cannot be accessed, and the second database file can be freely accessed.
For the client having only the access right of the second storage, the client needs to further determine the right level to access the data corresponding to the level, and since the key is set according to the right level, only the corresponding key needs to be provided, it should be noted that the encryption mode of this embodiment is symmetric encryption, and the key used for encryption and decryption is the same.
Specifically, the three-level encryption of the data that can be operated according to the authority configuration logic includes:
dividing the operable data into 4 consulting level data segments, wherein the fourth consulting level data segment is not encrypted, and the first consulting level data segment is encrypted for 3 times;
encrypting the first reference level data segment by using a first secret key to obtain first encrypted data;
merging the second reference level data segment with the first encrypted data, and then encrypting by using a second secret key to obtain second encrypted data;
merging the third reading level data segment with the second encrypted data, and encrypting by using a third secret key to obtain third encrypted data;
and combining the fourth reference level data segment with the third encrypted data to obtain an operable data ciphertext.
The second secret key is different from both the first secret key and the third secret key, that is, the first secret key and the third secret key may be the same, but since the encryption mode of the embodiment is progressive encryption, the second-level data cannot be decrypted, and even if the third secret key is known, data analysis cannot be performed, so that the safety of progressive decryption and the hierarchy of progressive division of the authority are ensured.
In a specific embodiment, when the access times of all client MAC addresses within a preset time period are judged to be greater than a first preset threshold, a new secret key is used to encrypt a first database file to obtain a third database file, and an access address of the third database file and a corresponding secret key are provided and sent to a connected client, so that the client disconnects from a second database when receiving the access address of the third database file and the corresponding secret key;
and deleting the second database file after all the clients stop accessing the second database file.
The more the access times are, the greater the risk of secret key leakage, so when the access times are larger, the secret key is reselected for encryption. However, since the data access cannot be interrupted, a new third database file is generated while the second database file is accessed, so that the newly accessed client accesses the third database file, the client accessing or not interrupted continues to access the second database, and the second database file is deleted until all the clients stop accessing the second database file, only the third database file is reserved, and the process is executed in a circular manner. Preferably, the first preset threshold may be 1000.
In a specific embodiment, when it is determined that the number of times of access of the MAC address of the client, which does not have the access right to the first database file and has the access right to the second database file, within the preset time period is greater than a second preset threshold, the client is denied a request for accessing the second database file. And the client with the first database file access authority can access without limitation. But for the client only having the access right of the second database file, the access times of the client need to be limited, and the security risk caused by misusing the database is avoided. The preset time period is, for example, 1 day, and the second preset threshold is, for example, 30 times.
The business voucher processing method firstly integrates and stores business data received by different interfaces to ensure the integrity of original data, secondly analyzes the information of the original voucher to obtain data which can be used for logic operation so as to be convenient to store and process, and then carries out multi-level encryption on the data to make authority management hierarchy, thereby avoiding the risk of data leakage. In addition, because a user with ordinary authority can only contact the second database file, even if the database is leaked, the specific content cannot be known due to the existence of encryption, and meanwhile, the second database file is not the original basic database, and can be recovered as soon as possible even if the second database file is deleted and tampered.
Referring to fig. 2, fig. 2 is a schematic flow chart of a service credential processing method applied to a client according to an embodiment of the present invention, including:
s21, sending an access request to a server to acquire a reference authority, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
s22, responding to the first database file access address fed back by the server, and performing read-write operation on the first database file; or responding to a second database file access address and key information fed back by the server, and performing read-only operation on the second database file, wherein the first database file comprises operable data and inoperable data;
the first database file is obtained by analyzing original certificate information stored in the first memory according to a preset rule and writing an obtained original data stream into a corresponding data unit in a first database, and the second database file is obtained by performing three-level encryption on the operable data and directly encrypting the inoperable data.
In one embodiment, the method comprises the following steps: responding to the second database file access address and the key information fed back by the server, and performing read-only operation on the second database file, wherein the read-only operation comprises the following steps:
obtaining the number of secret keys according to the secret key information to judge the encryption series;
reading the second database file;
if the number of the secret keys is 0, extracting the unencrypted data segment from the second database file for operation;
if the number of the secret keys is 1, after extracting the unencrypted data segment from the second database file, decrypting the rest encrypted data segment, and extracting first-stage decrypted data;
if the number of the secret keys is 2, after extracting the unencrypted data segment from the second database file, carrying out first decryption on the rest encrypted data segment, extracting first-stage decryption data, carrying out second decryption on the rest encrypted data segment after extracting the first-stage decryption data, and extracting second-stage decryption data;
if the number of the secret keys is 3, after extracting the unencrypted data segment from the second database file, carrying out first decryption on the remaining encrypted data segment, extracting first-stage decryption data, carrying out second decryption on the remaining encrypted data segment after extracting the first-stage decryption data, extracting second-stage decryption data, carrying out third decryption on the remaining encrypted data segment after extracting the second-stage decryption data, and extracting third-stage decryption data.
Referring to fig. 3, the present invention also provides a service credential processing system, which includes a server 31 and a client 32;
the server 31 includes:
an original credential receiving module 311, configured to receive original credential information and obtain a network protocol type;
a storage processing module 312, configured to allocate a corresponding processing interface according to the network protocol type, and store the original credential information in a corresponding storage space in a first storage;
the analysis module 313 is configured to analyze the original credential information stored in the first memory according to a preset rule, write the obtained original data stream into a corresponding data unit in a first database, and store a first database file in a corresponding storage space in the first memory, where the first database file includes computable data and non-computable data;
the encryption processing module 314 is configured to perform three-level encryption on the operable data according to the permission configuration logic, directly encrypt the inoperable data to obtain a second database file, and store the second database file in a second memory;
the permission judging module 315 is configured to respond to an access request of a client to judge whether the client has a first memory or a second memory access permission, where the access request includes a client MAC address, a gateway address directly connected to the client, and a password;
the key distribution module 316 is configured to determine whether a gateway address directly connected to the client is consistent with a preset gateway address if it is determined that the client has an access right of the first memory according to the client MAC address, provide a first database file access address in a readable and writable manner if the gateway address is consistent with the preset gateway address, provide a second database file access address in a read-only manner if the gateway address is inconsistent with the preset gateway address, and send all the third-level keys to the client; or if the client is judged to have the access right of a second memory according to the MAC address of the client, judging the consulting level of a second database file according to the password, and sending a corresponding secret key to the client according to the consulting level;
the client 32 includes:
an access request module 321, configured to send an access request to a server to obtain a lookup permission, where the access request includes a client MAC address, a gateway address directly connected to the client, and a password;
the operation module 322 is configured to perform read-write operation on the first database file in response to the first database file access address fed back by the server; or responding to the access address and the key information of the second database file fed back by the server, and performing read-only operation on the second database file, wherein the first database file comprises operable data and inoperable data.
Referring to fig. 4, the present invention also provides an electronic device, which includes a first processor 41, a second processor 42, a communication interface 43, a first memory 44, a second memory 45 and a communication bus 46, wherein the first processor 41, the second processor 42, the communication interface 43, the first memory 44 and the second memory 45 complete communication with each other through the communication bus 46;
a first memory 44 for storing a first computer program;
a second memory 45 for storing a second computer program;
the first processor 41, when executing the program stored in the first memory 44, implements the following steps:
s11, receiving the original certificate information and obtaining the network protocol type;
s12, distributing corresponding processing interfaces according to the network protocol type, and storing the original certificate information to a corresponding storage space in a first storage;
s13, analyzing the original certificate information stored in the first memory according to a preset rule, writing the obtained original data stream into a corresponding data unit in a first database, and storing a first database file in a corresponding storage space in the first memory, wherein the first database file comprises operable data and inoperable data;
s14, performing three-level encryption on the operable data according to authority configuration logic, directly encrypting the inoperable data to obtain a second database file, and storing the second database file into a second memory;
s15, responding to an access request of a client to judge whether the client has a first memory or a second memory access right, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
s16, if the client is judged to have the access authority of the first memory according to the MAC address of the client, whether the gateway address directly connected with the client is consistent with a preset gateway address or not is judged, if so, the first database file access address is provided in a read-write mode, and if not, the second database file access address is provided in a read-only mode and the third-level secret key is sent to the client; or if the client is judged to have the access authority of the second memory according to the MAC address of the client, judging the consulting level of the second database file according to the password, and sending a corresponding secret key to the client according to the consulting level.
The second processor 42, when executing the program stored in the second memory 45, implements the following steps:
s21, sending an access request to a server to acquire a reference authority, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
s22, responding to the first database file access address fed back by the server, and performing read-write operation on the first database file; or responding to the second database file access address and the key information fed back by the server, and performing read-only operation on the second database file.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The first Memory and the second Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The first Processor and the second Processor may be general-purpose processors including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
The method provided by the embodiment of the invention can be applied to electronic equipment. Specifically, the electronic device may be: desktop computers, portable computers, intelligent mobile terminals, and the like. Without limitation, any electronic device that can implement the present invention is within the scope of the present invention.
For the apparatus/electronic device/storage medium embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to part of the description of the method embodiment.
It should be noted that the system and the electronic device according to the embodiments of the present invention are respectively a system and an electronic device using the above method, and all embodiments of the above method are applicable to the system and the electronic device, and can achieve the same or similar beneficial effects.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless specifically defined otherwise.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples described in this specification can be combined and combined by those skilled in the art.
While the present application has been described in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a review of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the word "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus (device), or computer program product. Accordingly, this application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects that may all generally be referred to herein as a "module" or "system. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. A computer program stored/distributed on a suitable medium supplied together with or as part of other hardware, may also take other distributed forms, such as via the Internet or other wired or wireless telecommunication systems.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.
Claims (8)
1. A service certificate processing method is applied to a server side, and is characterized by comprising the following steps:
receiving original certificate information and acquiring a network protocol type;
distributing a corresponding processing interface according to the network protocol type, and storing the original certificate information into a corresponding storage space in a first storage;
analyzing the original certificate information stored in the first memory according to a preset rule, writing the obtained original data stream into a corresponding data unit in a first database, and storing a first database file in a corresponding storage space in the first memory, wherein the first database file comprises operable data and inoperable data;
performing three-level encryption on the operable data according to authority configuration logic, directly encrypting the inoperable data to obtain a second database file, and storing the second database file into a second memory;
responding to an access request of a client to judge whether the client has a first memory or a second memory access right, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
if the client side is judged to have the access authority of the first storage according to the MAC address of the client side, whether a gateway address directly connected with the client side is consistent with a preset gateway address or not is judged, if so, a first database file access address is provided in a readable and writable mode, and if not, a second database file access address is provided in a read-only mode and a third-level secret key is sent to the client side; or if the client is judged to have the access authority of the second memory according to the MAC address of the client, judging the consulting level of the second database file according to the password, and sending a corresponding secret key to the client according to the consulting level.
2. The service credential processing method according to claim 1, wherein the performing of three-level encryption on the operational data according to the authority configuration logic comprises:
dividing the operable data into 4 consulting level data segments, wherein the fourth consulting level data segment is not encrypted, and the first consulting level data segment is encrypted for 3 times;
encrypting the first reference level data segment by using a first secret key to obtain first encrypted data;
merging the second reference level data segment with the first encrypted data, and then encrypting by using a second secret key to obtain second encrypted data;
merging the third reading level data segment with the second encrypted data, and encrypting by using a third secret key to obtain third encrypted data;
combining the fourth reference level data segment with the third encrypted data to obtain an operable data ciphertext;
wherein the second key is different from both the first key and the third key.
3. The service certificate processing method according to claim 1, wherein when it is determined that the number of accesses to the MAC addresses of all the clients within a preset time period is greater than a first preset threshold, a new key is used to encrypt the first database file to obtain a third database file, and an access address and a corresponding key of the third database file are provided to the connected clients, so that the clients disconnect from the second database when receiving the access address and the corresponding key of the third database file;
and deleting the second database file after all the clients stop accessing the second database file.
4. The service credential processing method according to claim 1, wherein when it is determined that the number of times of MAC address accesses to the client having the first database file access right and the second database file access right within a preset time period is greater than a second preset threshold, the client is denied a request for accessing the second database file.
5. A service certificate processing method is applied to a client, and is characterized by comprising the following steps:
sending an access request to a server to acquire a reference authority, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
responding to a first database file access address fed back by a server side, and performing read-write operation on the first database file; or responding to a second database file access address and key information fed back by the server, and performing read-only operation on the second database file, wherein the first database file comprises operable data and inoperable data;
the first database file is obtained by analyzing original certificate information stored in the first memory according to a preset rule and writing an obtained original data stream into a corresponding data unit in a first database, and the second database file is obtained by performing three-level encryption on the operable data and directly encrypting the inoperable data.
6. The service credential processing method according to claim 5, comprising: responding to the second database file access address and the key information fed back by the server, and performing read-only operation on the second database file, wherein the read-only operation comprises the following steps:
obtaining the number of secret keys according to the secret key information to judge the encryption series;
reading the second database file;
if the number of the secret keys is 0, extracting the unencrypted data segment from the second database file for operation;
if the number of the secret keys is 1, after extracting the unencrypted data segment from the second database file, decrypting the rest encrypted data segment, and extracting first-stage decrypted data;
if the number of the secret keys is 2, after extracting the unencrypted data segment from the second database file, carrying out first decryption on the rest encrypted data segment, extracting first-stage decryption data, carrying out second decryption on the rest encrypted data segment after extracting the first-stage decryption data, and extracting second-stage decryption data;
if the number of the secret keys is 3, after extracting the unencrypted data segment from the second database file, carrying out first decryption on the remaining encrypted data segment, extracting first-stage decryption data, carrying out second decryption on the remaining encrypted data segment after extracting the first-stage decryption data, extracting second-stage decryption data, carrying out third decryption on the remaining encrypted data segment after extracting the second-stage decryption data, and extracting third-stage decryption data.
7. A business voucher processing system is characterized by comprising a server side and a client side;
the server side includes:
the original certificate receiving module is used for receiving original certificate information and acquiring a network protocol type;
the storage processing module is used for distributing a corresponding processing interface according to the network protocol type and storing the original certificate information into a corresponding storage space in a first storage;
the analysis module is used for analyzing the original certificate information stored in the first memory according to a preset rule, writing the obtained original data stream into a corresponding data unit in a first database, and storing a first database file in a corresponding storage space in the first memory, wherein the first database file comprises operable data and inoperable data;
the encryption processing module is used for carrying out three-level encryption on the operable data according to authority configuration logic, directly encrypting the inoperable data to obtain a second database file, and storing the second database file into a second memory;
the authority judging module is used for responding to an access request of a client to judge whether the client has a first memory or a second memory access authority, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
the key distribution module is used for judging whether a gateway address directly connected with the client is consistent with a preset gateway address or not if the client is judged to have the access authority of the first memory according to the MAC address of the client, providing a first database file access address in a read-write mode if the gateway address directly connected with the client is consistent with the preset gateway address, and providing a second database file access address in a read-only mode and sending the third-level keys to the client if the gateway address directly connected with the client is inconsistent with the preset gateway address; or if the client is judged to have the access right of a second memory according to the MAC address of the client, judging the consulting level of a second database file according to the password, and sending a corresponding secret key to the client according to the consulting level;
the client comprises:
the access request module is used for sending an access request to a server to acquire a reference authority, wherein the access request comprises a client MAC address, a gateway address directly connected with the client and a password;
the operation module is used for responding to the first database file access address fed back by the server side and performing read-write operation on the first database file; or responding to the access address and the key information of the second database file fed back by the server, and performing read-only operation on the second database file, wherein the first database file comprises operable data and inoperable data.
8. An electronic device is characterized by comprising a first processor, a second processor, a communication interface, a first memory, a second memory and a communication bus, wherein the first processor, the second processor and the communication interface are used for completing communication among the memories through the communication bus;
a first memory for storing a first computer program;
a second memory for storing a second computer program;
a first processor for implementing the method steps of any one of claims 1 to 4 when executing the program stored in the first memory;
a second processor arranged to perform the method steps of any of claims 5 to 6 when executing the program stored in the second memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210174251.6A CN114239081A (en) | 2022-02-25 | 2022-02-25 | Business certificate processing method, system and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210174251.6A CN114239081A (en) | 2022-02-25 | 2022-02-25 | Business certificate processing method, system and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114239081A true CN114239081A (en) | 2022-03-25 |
Family
ID=80748150
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210174251.6A Pending CN114239081A (en) | 2022-02-25 | 2022-02-25 | Business certificate processing method, system and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114239081A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024164677A1 (en) * | 2023-02-10 | 2024-08-15 | 华为技术有限公司 | Data access permission control method and apparatus |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103853986A (en) * | 2014-01-03 | 2014-06-11 | 李凤华 | Access control method and device |
| CN104217362A (en) * | 2014-09-29 | 2014-12-17 | 深圳市淘淘谷信息技术有限公司 | Sorting system based on Internet communication and offline transaction and online instant accounting method |
| CN108734528A (en) * | 2018-05-18 | 2018-11-02 | 北京大账房网络科技股份有限公司 | A kind of electronic invoice keeps accounts method automatically |
| CN111259435A (en) * | 2020-01-09 | 2020-06-09 | 平安科技(深圳)有限公司 | Contract encryption and decryption method and device and computer readable storage medium |
| CN112613051A (en) * | 2020-12-24 | 2021-04-06 | 金蝶软件(中国)有限公司 | Data encryption storage method and device, computer equipment and storage medium |
| CN112866415A (en) * | 2021-02-24 | 2021-05-28 | 上海泰宇信息技术股份有限公司 | Data backup private cloud storage and downloading method |
| CN113095307A (en) * | 2021-06-09 | 2021-07-09 | 国网浙江省电力有限公司 | Automatic identification method for financial voucher information |
-
2022
- 2022-02-25 CN CN202210174251.6A patent/CN114239081A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103853986A (en) * | 2014-01-03 | 2014-06-11 | 李凤华 | Access control method and device |
| CN104217362A (en) * | 2014-09-29 | 2014-12-17 | 深圳市淘淘谷信息技术有限公司 | Sorting system based on Internet communication and offline transaction and online instant accounting method |
| CN108734528A (en) * | 2018-05-18 | 2018-11-02 | 北京大账房网络科技股份有限公司 | A kind of electronic invoice keeps accounts method automatically |
| CN111259435A (en) * | 2020-01-09 | 2020-06-09 | 平安科技(深圳)有限公司 | Contract encryption and decryption method and device and computer readable storage medium |
| CN112613051A (en) * | 2020-12-24 | 2021-04-06 | 金蝶软件(中国)有限公司 | Data encryption storage method and device, computer equipment and storage medium |
| CN112866415A (en) * | 2021-02-24 | 2021-05-28 | 上海泰宇信息技术股份有限公司 | Data backup private cloud storage and downloading method |
| CN113095307A (en) * | 2021-06-09 | 2021-07-09 | 国网浙江省电力有限公司 | Automatic identification method for financial voucher information |
Non-Patent Citations (3)
| Title |
|---|
| 张焕国等: "《密码学引论》", 30 November 2015, 武汉大学出版社 * |
| 徐晓日: "《电子政务概论》", 30 June 2006, 天津大学出版社 * |
| 税务稽查业务手册编写组: "《税务稽查实务》", 30 April 2009, 白山出版社 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024164677A1 (en) * | 2023-02-10 | 2024-08-15 | 华为技术有限公司 | Data access permission control method and apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10269084B2 (en) | Registry | |
| WO2021003980A1 (en) | Blacklist sharing method and apparatus, computer device and storage medium | |
| US11379771B2 (en) | Management of workflows | |
| KR101769282B1 (en) | Data security service | |
| CN103095847B (en) | Cloud storage safety-ensuring method and system thereof | |
| TW201530346A (en) | Method, device, and system for client authentication using social relationship data | |
| WO2021003977A1 (en) | Default information query method and apparatus, and computer device and storage medium | |
| CN112217835A (en) | Message data processing method and device, server and terminal equipment | |
| CN102930225A (en) | Electronic document access control method based on confidential identifier | |
| WO2020143318A1 (en) | Data verification method and terminal device | |
| US20210105276A1 (en) | Secure management and provisioning of interaction data using permissioned distributed ledgers | |
| CN104484628B (en) | It is a kind of that there is the multi-application smart card of encrypting and decrypting | |
| CN110708162B (en) | Resource acquisition method and device, computer readable medium and electronic equipment | |
| US20210142319A1 (en) | Systems and methods for distributed data mapping | |
| CN116090024B (en) | Reliable data storage device, system and method | |
| CN112150113A (en) | Method, device and system for borrowing file data and method for borrowing data | |
| CN114239081A (en) | Business certificate processing method, system and electronic equipment | |
| CN110493011B (en) | Block chain-based certificate issuing management method and device | |
| CN117763595A (en) | Data privacy protection method applied to data management system | |
| US20240048361A1 (en) | Key Management for Cryptography-as-a-service and Data Governance Systems | |
| US11507686B2 (en) | System and method for encrypting electronic documents containing confidential information | |
| CN110855753A (en) | Bank operation system, method and server | |
| CA3057799A1 (en) | Secure management and provisioning of interaction data using permissioned distributed ledgers | |
| CN114567444B (en) | Digital signature verification method, device, computer equipment and storage medium | |
| AU2014259536B2 (en) | Registry |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220325 |