CN115174100B - Password processing method and system for gRPC data - Google Patents
Password processing method and system for gRPC data Download PDFInfo
- Publication number
- CN115174100B CN115174100B CN202210703747.8A CN202210703747A CN115174100B CN 115174100 B CN115174100 B CN 115174100B CN 202210703747 A CN202210703747 A CN 202210703747A CN 115174100 B CN115174100 B CN 115174100B
- Authority
- CN
- China
- Prior art keywords
- data object
- processing
- grpc
- message data
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 24
- 238000012545 processing Methods 0.000 claims abstract description 146
- 230000004044 response Effects 0.000 claims abstract description 99
- 238000012795 verification Methods 0.000 claims abstract description 49
- 230000007246 mechanism Effects 0.000 claims abstract description 24
- 238000005516 engineering process Methods 0.000 claims abstract description 8
- 230000006870 function Effects 0.000 claims description 27
- 230000001960 triggered effect Effects 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 5
- 239000000203 mixture Substances 0.000 claims description 3
- 238000011161 development Methods 0.000 claims description 2
- 238000000034 method Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 5
- 229940004975 interceptor Drugs 0.000 description 5
- 230000004048 modification Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The password processing method for gRPC data comprises the following steps: the password processing interceptor intercepts gRPC call requests and responses of a gRPC client and a server, calls a password component according to configuration information to encrypt and decrypt data in fields needing encryption and decryption in a request and response message data object in a stream encryption mode, combines the data in the fields needing signature and signature verification in the message data object, the combined data contains names and numerical values of the fields needing signature and signature verification, and calls the password component to sign and verify the combined data; the cipher processing interceptor transmits the digital signature data, the initialization vector of the stream encryption key stream and the key negotiation data through gRPC request, the response metadata or the appointed field of the message data object; the password processing interceptor is a program component implemented based on an interceptor mechanism provided by gRPC implementation technology.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a password processing method and system for gRPC data.
Background
gRPC (Google remote procedure call) is a remote procedure call framework and protocol proposed by Google, through which remote procedure or interface calls can be implemented, gRPC is currently widely adopted in various applications, such as blockchain technology. gRPC does not provide a data security protection mechanism, and TLS/SSL can be adopted to realize encryption protection of transmitted data in practical application, however, in some cases, TLS/SSL may not be suitable or not enough, for example, it cannot realize digital signature protection of data, and in practical application, direct encryption and signature protection of original data of gRPC may be required. For a newly developed system, it is not difficult to implement encryption and signature of the native data for the gRPC, but for an existing, deployed and unmodified system, how to implement encryption and signature of the native data for the gRPC without modifying the program code is a problem to be solved. Furthermore, even with newly developed systems, application/system developers may be unfamiliar with cryptographic techniques and may not wish to directly program aspects of data cryptographic processing (e.g., encryption, signing).
Disclosure of Invention
The invention aims to provide a technical scheme for carrying out password processing on gRPC data (message) so as to meet the requirement of safety protection on the gRPC data (message) and solve the technical problem of meeting the requirement.
Aiming at the purpose of the invention, the technical scheme provided by the invention comprises a password processing method aiming at gRPC data and a corresponding system.
The password processing method for gRPC data is specifically as follows.
The concrete implementation technology of gRPC is provided with reflection (reflection) processing (mechanism, capability or tool such as Java, go, C # reflection processing, mechanism, capability or tool) for data objects, and an Interceptor mechanism (Interceptor) for gRPC requests and responses; the reflection processing refers to analyzing and determining the data type (type) and the data composition structure of a data object (through special reflection tools and codes) which is unknown in advance by a pointer, and acquiring and setting the data stored in the data object;
(gRPC client submits call request)
When a gRPC client submits a gRPC call request, a password processing interceptor of the client is triggered; the password processing interceptor analyzes the request message data object by using the reflection, and queries configuration information according to a class name (class name) and/or field name (field name) of the request message data object, and determines whether the request message data object needs to be subjected to password processing, wherein the password processing comprises encryption and/or signature;
if the request message data object needs to be subjected to the cryptographic processing, the cryptographic processing interceptor carries out the cryptographic processing on the request message data object in the following manner:
obtaining a type (such as an integer, a floating point, a byte string type, etc.) and a field name (different types, different encryption processing modes) of each field by utilizing each field of the reflection analysis request message data object;
determining whether encryption processing is needed for the request message data object by using the configuration information, and if so, calling a password component to encrypt data in a field which is set by the configuration information and needs to be encrypted (the configuration information sets which fields need to be encrypted by specifying the names of the fields which need to be encrypted);
determining whether signature processing is required for the request message data object by using the configuration information, if so, combining the data in all fields needing to be signed set by the configuration information to form data to be signed, then calling a password component (using a signature private key specified by the configuration information) to digitally sign the combined data to be signed, and then storing the obtained digital signature data in metadata (metadata) of a calling request or in a field storing the digital signature data in the request message data object specified by the configuration information (not necessarily a special digital signature field);
the password processing interceptor is a program component for interceptor mechanism development implementation based on gRPC realization technology, is triggered and executed when a gRPC client submits a gRPC call request and receives a gRPC call response, is triggered and executed when a gRPC server receives the gRPC call request and returns the gRPC call response, and is used for carrying out password processing on a request message data object and a response message data object;
the cryptographic component is a component (a component of software or a combination of software and hardware) that provides cryptographic functions;
the configuration information is used for setting the password processing performed by the password processing interceptor for the request message data object and the response message data object.
(gRPC server receives the call request)
When the gRPC server receives a gRPC call request submitted by a gRPC client, a password processing interceptor of the server is triggered; the cryptographic process interceptor parses the request message data object using the reflection, queries the configuration information using a class name (class name) and/or field name(s) of the request message data object, determines whether cryptographic processing of the request message data object is required, including decryption and/or signature verification;
if the request message data object needs to be subjected to the cryptographic processing, the cryptographic processing interceptor carries out the cryptographic processing on the request message data object in the following manner:
obtaining a type (such as integer, floating point, byte string type, etc.) and a field name (different types, different decryption processes) of each field by reflecting each field of the parsing request message data object;
determining whether decryption processing is required for the request message data object by using the configuration information, and if so, calling a password component to decrypt data in a field which is set by the configuration information and needs decryption (the configuration information sets which fields need decryption by specifying the names of the fields which need decryption);
and determining whether signature verification processing is required for the request message data object by using the configuration information, if so, combining the data in all fields which are set by configuration and need signature verification to form data to be subjected to signature verification, then obtaining the digital signature data from the metadata of the calling request or the fields which store the digital signature data in the request message data object specified by the configuration information, then calling a password component (using a signature verification public key specified by the configuration information) to perform signature verification on the data to be subjected to signature verification formed by combining by using the obtained digital signature data, and if the signature verification is passed, allowing the request message to pass, and if the signature verification is not passed, switching to error processing.
(gRPC server returns call response)
When the gRPC server side returns a gRPC call response, the password processing interceptor of the server side is triggered; the cryptographic process interceptor parses the response message data object with the reflection, queries the configuration information using a class name (class name) and/or field name(s) of the response message data object, determines whether cryptographic processing of the response message data object is required, the cryptographic processing including encryption and/or signing;
if the response message data object needs to be subjected to the cryptographic processing, the cryptographic processing interceptor performs the cryptographic processing on the response message data object in the following manner:
using each field of the reflection analysis response message data object to obtain the type (such as integer, floating point, byte string type, etc.) and field name of each field;
determining whether encryption processing is needed for the response message data object by using the configuration information, and if so, calling a password component to encrypt data in a field which is set by the configuration information and needs to be encrypted (the configuration information sets which fields need to be encrypted by specifying the names of the fields which need to be encrypted);
determining whether signature processing is required for the response message data object by using the configuration information, if so, combining the data in all fields needing to be signed of the configuration setting to form data to be signed, then calling a password component (using a signature private key specified by the configuration information) to digitally sign the combined data to be signed, and then storing the obtained digital signature data in metadata (metadata) of a calling response or in a field storing the digital signature data in the response message data object specified by the configuration information (not necessarily a special digital signature field).
(gRPC client receives the call response)
When the gRPC client receives gRPC call response returned by the gRPC server, the password processing interceptor of the client is triggered; the cryptographic process interceptor parses the response message data object with the reflection, queries the configuration information using a class name (class name) and/or field name(s) of the response message data object, determines whether cryptographic processing of the response message data object is required, the cryptographic processing including decryption and/or signature verification;
if the request message data object needs to be subjected to the cryptographic processing, the cryptographic processing interceptor carries out the cryptographic processing on the response message data object in the following manner:
using each field of the reflection analysis response message data object to obtain the type (such as integer, floating point, byte string type, etc.) and field name of each field;
determining whether decryption processing is required for the response message data object by using the configuration information, and if so, calling a password component to decrypt data in a field which is set by the configuration information and needs decryption (the configuration information sets which fields need decryption by specifying the names of the fields which need decryption);
and determining whether signature verification processing is required for the response message data object by using the configuration information, if so, combining the data in all fields which are set by the configuration and need signature verification to form data to be subjected to signature verification, then obtaining digital signature data from metadata (metadata) of a calling response or fields which store the digital signature data in the response message data object specified by the configuration information, then calling a password component (using a signature verification public key specified by the configuration information) to perform signature verification on the data to be subjected to signature verification formed by combining by using the obtained digital signature data, and if the signature verification is passed, allowing the request message to pass, and if the signature verification is not passed, switching to error processing.
For the above-described cryptographic processing method for gRPC data, if it cannot be determined whether or not cryptographic processing is required for the message data object according to the class name (class name) and the field name (field name) of the (request, response) message data object, the cryptographic processing interceptor further determines whether or not cryptographic processing is required for the message data object according to the data in the field in the message data object specified by the configuration information (whether or not cryptographic processing is required for the message data object is different if the data in the specified field is different); the message data objects include request message data objects and response message data objects.
In the above-described cryptographic processing method for gRPC data, the encryption mode used for encrypting the data (in the field) in the request message data object and the response message data object is stream encryption, and the decryption mode used for decrypting is a corresponding stream decryption mode, where, for the data of the non-byte string type, the cryptographic processing interceptor forcibly converts the data into the data of the byte string type and then performs encryption and decryption processing (the processing results of encryption and decryption are still stored as the data of the original data type in the original field of the message data object).
For the above-described cryptographic processing method for gRPC data, the cryptographic processing interceptor delivers an initialization vector (Initialization Vector, IV) of the stream encryption key stream via the gRPC request, the metadata of the response (metadata), the initialization vector generating the initial key stream together with the key, the initialization vector being non-secret data), or the initialization vector of the stream encryption key stream via other means (e.g. via other data transmission channels, or via a field of a certain byte string type of the message data object).
For the above-described cryptographic processing method for gRPC data, if the gRPC client and the server end do not use the keys for stream encryption, the cryptographic processing interceptor negotiates, transfers the keys for stream encryption through metadata of the gRPC call request and response, where the mechanism of negotiating, transferring the keys for stream encryption includes a symmetric key cryptographic mechanism (e.g., random negotiation using a non-secret byte string with a seed key that is common to both parties), and a public key cryptographic mechanism (e.g., encrypting the keys for stream encryption with a public key), or negotiating, transferring the keys for stream encryption through other means (e.g., negotiating, transferring through other data transmission channels, or through a field of a certain byte string type of a message data object).
For the above-mentioned cryptographic processing method for gRPC data, the data in the fields requiring signature and signature verification in the request message data object and the response message data object are combined, and the combined data contains the name and the numerical value of the fields requiring signature and signature verification.
The gRPC data processing method is characterized in that a gRPC data processing system can be constructed on the basis of the gRPC data processing method, and comprises a password processing interceptor and a password component, wherein the password component is used for providing password function call, and the password processing interceptor is used for carrying out password processing on data in gRPC message data objects according to configuration information and by calling the password component; the cryptographic functions comprise encryption, decryption, signature and signature verification; the message data objects include request message data objects and response message data objects.
As can be seen from the above description of the solution, according to the solution of the present invention, encryption and decryption of the gPRC request and response data (message) can be automatically implemented by the crypto processing interceptor without modifying the program code of the existing and deployed system. Based on the scheme of the invention, the digital signature data is stored in the metadata of the call request and the call response for transmission, or is added into the field of the byte string type when the gRPC message data object has the field of the byte string type, and the digital signature data is transmitted by means of the field of the byte string type, so that the signature and signature verification for gPRC request and response data (message) can be automatically realized through a password processing interceptor under the condition of not modifying the program codes of the existing and deployed systems; for the existing and deployed systems or newly developed, the message data object containing the digital signature field can be (re) defined simply, the signature and signature verification for gPRC request and response data (message) are realized through the invention, the service processing and application processing program codes of the existing and deployed systems do not need to be modified, and the developer of the new system does not need to care about the realization of the functions; it should be noted that, without modifying the system program code, it means that the main program code is not modified, and that a small amount of initialization program modification may be required to inject the interceptor (if the interceptor can be added by configuration, this problem does not exist, depending on the implementation mechanism of the gRPC and interceptor).
Drawings
FIG. 1 is a schematic diagram of the system of the present invention.
Detailed Description
The following describes specific embodiments of the present invention. The following is merely illustrative of possible embodiments of the present invention, and is not meant to limit the invention.
The implementation of the present invention relies on a gRPC Interceptor (Interceptor) and a reflection process (mechanism, technique or tool) for a data object, where the reflection process refers to parsing (by a special reflection tool, code) a data object of which the data class (type), data composition structure, and obtaining the data stored therein, and the conventional gRPC implementation technique provides a gRPC Interceptor mechanism and provides a reflection mechanism or tool (such as Java, go, C # reflection mechanism or tool), while for an interpreted script program, if the data object adopts JSON, the reflection process for the JSON data object is easy.
The configuration information of the present invention may be implemented by using a technique deemed suitable by an implementer, such as XML, JSON, etc., and its format is determined by the implementer itself, so long as the necessary information is included. In implementations, there may be cases where it is not possible to determine whether cryptographic processing (encryption, decryption and/or signature, signature verification) of the message data object is required based solely on the class name and/or field name(s) of the message data object, where the configuration information may specify that cryptographic processing is required when the value in one or several fields of the message data object is a value of a class.
The invention is based on the technical scheme of gRPC interceptor, which is executed before gRPC carries out serialization processing on message data object, and the intercepted message data object is the original data object of programming language (Go, java, C # and the like) adopted by gRPC.
The gRPC has four calling modes, namely, unitary (simple) RPC, server-side streaming RPC, client-side streaming RPC and bidirectional streaming RPC. Some of the interceptors of the gRPC implementation technology do not distinguish between unary calls and stream calls, while some of the interceptors of the gRPC implementation technology have corresponding unary interceptors and stream interceptors. Regardless of the calling mode adopted by gRPC call, the gRPC interceptor is what interceptor, in the implementation of the invention, the data submitted by the gRPC client is taken as the call request data of the invention, each message data object submitted by the gRPC client (each time) is the request message data object of the invention, and the password processing interceptor carries out password processing on each request message data object submitted by the gRPC client each time; the data submitted or returned by the gRPC server end is used as call response data of the invention, each message data object submitted or returned by the gRPC server end is a response message data object of the invention, and the password processing interceptor carries out password processing on the response message data object submitted or returned by the gRPC server end each time.
The data encryption and digital signature functions of the present invention may be implemented simultaneously, or only one of them may be implemented, and the implementation of the cryptographic functions for the request and response may be independent (the cryptographic functions for the request and response may be different, and the key and the cryptographic algorithm used may be different), or may be related (the cryptographic functions for the request and response may be the same, and the key and the cryptographic algorithm used may be the same).
The implementation of the data encryption function of the present invention is applicable to existing, deployed or newly developed systems. By implementing the encryption function of the encryption processing interceptor and the encryption component, the program of the existing and deployed systems is not required to be modified, and for newly developed systems, developers of application programs and systems can only pay attention to the processing of application data by implementing the encryption function of the encryption processing interceptor and the encryption component, and do not need to consider how to implement encryption on the data.
In the implementation of the encryption function of the invention, the encryption mode adopted for encrypting the data (in the field) in the request message data object and the response message data object is stream encryption, and the decryption mode adopted for decrypting is corresponding stream decryption, wherein, for the data of the non-byte string type, the encryption processing interceptor forcedly converts the data into the data of the byte string type and then carries out encryption and decryption processing, and the processing results of the encryption and decryption are still stored in the original field of the message data object as the data of the original data type.
In the implementation of the encryption function of the present invention, the crypto-processing interceptor delivers an initialization vector (Initialization Vector, IV) of the stream-encryption key stream via gRPC request, responsive metadata (metadata), the initialization vector together with the key generating an initial key stream, the initialization vector being non-secret data), or via other means (e.g. via other data transmission channels, or via some field of the message data object).
In the implementation of the encryption function of the present invention, for stream encryption of the message data object, various independent key streams may be used for each field of the message data object, or the same key stream may be used, so that data encryption and decryption are performed using the key stream. The initialization vector of the key stream can be the same or different for the stream encryption of the request and response message data objects and the stream encryption of different request and response message data objects.
In an implementation, for a situation that the gRPC client and the server end have no key for stream encryption in advance, the cryptographic processing interceptor may negotiate, transfer, by gRPC, the key for stream encryption through metadata of the gRPC call request and response, where the mechanism of negotiating, transferring, and the key for stream encryption includes a symmetric key cryptographic mechanism (e.g., randomly negotiating with a seed key that is both parties, using an unsecured byte string, generating a key for stream encryption) and a public key cryptographic mechanism (e.g., encrypting a key for stream encryption with a public key), or negotiating, transferring, by other means, the key for stream encryption (e.g., through other data transmission channels, or through a field of a certain byte string type of the message data object).
The implementation of the digital signature function of the present invention relates to how the data in the signature verification field and the signature needed in the message data object are combined to form the data to be signed and the data to be signed, and the following possible implementation modes are as follows:
1. an embodiment using name-value pairs,
The name and data (value) of each field needing signature and signature verification in the message data object are expressed in the form of name=value or name: value name value pair, wherein name is the character name of the field, value is an ASCII character string formed by encoding the data (value) in the field as a byte string through Base64, and a plurality of fields are connected through "&" symbols to form the following data:
name1=valu1&name2=value2&...。
in the case of a message data object having a composite structure, i.e. if the value of a field itself is a message data object, the value (value) of the field in the name-value pair is a "{", "}" demarcation, the included name-value pair word, e.g.,
name1={name2=value2&…}&name3=value3…,
and may be nested (the value of one field is a message data object, and a certain field in this message data object may further be a message data object).
2. Implementation using JSON data,
That is, a JSON data object is used to represent a (request, response) message data object, where the JSON data object has a structure (including a hierarchical structure) corresponding to the (request, response) message data object, and the name of each field of the JSON data object is the field name of the message data object, and the data (value) of each field is an ASCII string formed by encoding the value of the corresponding field in the original message data object as a byte string by Base 64.
The implementation of the digital signature function of the present invention is applicable to existing, deployed or newly developed systems.
If the implementation of the gRPC meets the following conditions, the digital signature data can be stored in metadata of a call request and a call response for the existing and deployed systems to be transferred:
(1) When the gRPC client submits a call request, an interceptor of the client can set metadata transferred by the call request when intercepting a request message data object or after the request message data object, and an interceptor of the gRPC server can acquire the metadata transferred by the call request when or before the interceptor reaches the request message data object;
(2) The gRPC server side returns a call response, an interceptor of the server side can set metadata transferred by the call response when intercepting the response message data object or after intercepting the response message data object, and an interceptor of the gRPC client side can acquire the metadata transferred by the call response when or before intercepting the response message data object.
Alternatively, in the case of a message data object having a field of byte string type, the digital signature data may be appended to the field of byte string type (a contracted position, such as a start or end), with the digital signature data being delivered via the field of byte string type.
For the two modes of transmitting the digital signature data, the digital signature function for the request and response message data objects can be implemented by implementing the digital signature function of the password processing interceptor and the password component under the condition that the program codes of the existing and deployed systems are not modified. For newly developed systems, both implementations are equally applicable, which allows application, system developers to focus on the processing of application data, regardless of how digital signatures for the data are implemented.
For the existing and deployed system, if the gRPC request message data object and/or gRPC response message data object has no defined field for storing digital signature, the message data object has no byte string type field, and the digital signature data cannot be transferred or is not expected through calling request and responding metadata, but redefinition of the message data object of the system is allowed, the implementation of the digital signature function of the invention can also be realized by simply redefining the message data object to contain the original data field and also have the digital signature field, wherein the digital signature field is used for storing digital signature data, and then the digital signature function for the request and responding message data object is realized by implementing the digital signature function of a cryptographic processing interceptor and a cryptographic component. This way of redefining the message data object is simple and does not require modification of other program code.
For newly developed systems, a field for storing digital signature data can be defined when a request and response message data object is defined, the field is used for storing the digital signature data, and then the digital signature for the request and response message data object is implemented through implementing the digital signature function of the password processing interceptor and the password component, so that developers of application programs and systems only need to pay attention to the processing of the application data, and how to implement the digital signature for the data is not needed to be considered.
Whether for an existing, deployed system or a newly developed system, the fields for storing the digital signature data, storing the initialization vector of the stream encryption key stream, storing the key negotiation data for stream encryption can be defined when the request, response message data object is (re) defined, and then the encryption, decryption, signature and signature verification for the request, response message data object are implemented by implementing the cryptographic processing interceptor and cryptographic component of the present invention.
Where the digital signature data is stored, how the initialization vector of the key stream and the encryption key negotiation data are transferred can be set by configuration information.
It should be noted that, without modifying the program code of the system, meaning without modifying the main program code, a small number of initialization program modifications may be required to inject the interceptor (this is not the case if the interceptor is added by configuration, which is relevant to the implementation mechanism of the interceptor of the gRPC).
It can be seen that the implementation of the digital signature functionality of the present invention is very flexible, with various embodiments being optional.
The present invention is directed to the implementation of digital signatures for message data objects, either by digital signatures using public key cryptographic algorithms or by symmetric key signature mechanisms, such as HMAC (Hashed Message Authentication Code).
The invention can construct and implement a password processing system for gRPC data on the basis of the password processing method for gRPC data, and the system comprises a password processing interceptor and a password component (see figure 1), wherein the password component is used for providing password function call, and the password processing interceptor carries out password processing on data in gRPC message data objects by calling the password component; the cryptographic functions comprise encryption, decryption, signature and signature verification; the message data objects include request message data objects and response message data objects.
Other specific technical implementations not described are well known to those skilled in the relevant arts and are self-evident.
Claims (10)
1. A password processing method for gRPC data is characterized in that:
the concrete implementation technology of gRPC is provided with reflection processing for data objects and an interceptor mechanism for gRPC requests and responses; the reflection processing is to analyze and determine the data class and the data composition structure of a data object which is unknown in advance by a pointer, and acquire and set the data stored in the data object;
when a gRPC client submits a gRPC call request, a password processing interceptor of the client is triggered; the password processing interceptor analyzes the request message data object by using reflection, inquires configuration information according to the class name and/or the field name of the request message data object, and determines whether the request message data object needs to be subjected to password processing, wherein the password processing comprises encryption and/or signature;
if the request message data object needs to be subjected to the cryptographic processing, the cryptographic processing interceptor carries out the cryptographic processing on the request message data object in the following manner:
obtaining the type and the field name of each field by utilizing each field of the reflection analysis request message data object;
determining whether encryption processing is needed for the request message data object by using the configuration information, and if so, calling a password component to encrypt data in a field which is set by the configuration information and needs to be encrypted;
determining whether signature processing is required to be performed on the request message data object by using the configuration information, if so, combining the data in all fields needing to be signed set by the configuration information to form data to be signed, then calling a password component to digitally sign the data to be signed formed by combining, and then storing the obtained digital signature data in metadata of a calling request or in a field storing the digital signature data in the request message data object appointed by the configuration information;
the password processing interceptor is a program component for interceptor mechanism development implementation based on gRPC realization technology, is triggered and executed when a gRPC client submits a gRPC call request and receives a gRPC call response, is triggered and executed when a gRPC server receives the gRPC call request and returns the gRPC call response, and is used for carrying out password processing on a request message data object and a response message data object;
the password component is a component for providing password functions;
the configuration information is used for setting the password processing performed by the password processing interceptor for the request message data object and the response message data object.
2. The cryptographic processing method for gRPC data according to claim 1, characterized in that:
when the gRPC server receives a gRPC call request submitted by a gRPC client, a password processing interceptor of the server is triggered; the password processing interceptor analyzes the request message data object by using the reflection, queries configuration information by using the class name and/or the field name of the request message data object, and determines whether the request message data object needs to be subjected to password processing, wherein the password processing comprises decryption and/or signature verification;
if the request message data object needs to be subjected to the cryptographic processing, the cryptographic processing interceptor carries out the cryptographic processing on the request message data object in the following manner:
obtaining the type and the field name of each field by utilizing each field of the reflection analysis request message data object;
determining whether decryption processing is required to be performed on the request message data object by using the configuration information, and if so, calling a password component to perform decryption processing on data in a field which is set by the configuration information and needs to be decrypted;
and determining whether signature verification processing is required to be performed on the request message data object by using the configuration information, if so, combining the data in all fields which are set by configuration and need signature verification to form data to be subjected to signature verification, then obtaining digital signature data from metadata of a calling request or fields which are designated by the configuration information and store the digital signature data in the request message data object, then calling a password component to perform signature verification on the data to be subjected to signature verification and formed by combining by using the obtained digital signature data, and if the signature verification is passed, allowing the request message to pass, and if the signature verification is not passed, switching to error processing.
3. The cryptographic processing method for gRPC data according to claim 2, characterized in that:
when the gRPC server side returns a gRPC call response, the password processing interceptor of the server side is triggered; the password processing interceptor analyzes the response message data object by using the reflection, queries the configuration information by using the class name and/or the field name of the response message data object, and determines whether the response message data object needs to be subjected to password processing, wherein the password processing comprises encryption and/or signature;
if the response message data object needs to be subjected to the cryptographic processing, the cryptographic processing interceptor performs the cryptographic processing on the response message data object in the following manner:
analyzing each field of the response message data object by utilizing the reflection to obtain the type and the field name of each field;
determining whether encryption processing is needed for the response message data object by using the configuration information, and if so, calling a password component to encrypt data in a field which is set by the configuration information and needs to be encrypted;
and determining whether signature processing is required to be performed on the response message data object by using the configuration information, if so, combining the data in all fields needing to be signed of the configuration setting to form data to be signed, then calling the password component to digitally sign the data to be signed formed by combining, and storing the obtained digital signature data in metadata of a calling response or a field storing the digital signature data in the response message data object appointed by the configuration information.
4. A cryptographic processing method for gRPC data according to claim 3, characterized by:
when the gRPC client receives gRPC call response returned by the gRPC server, the password processing interceptor of the client is triggered; the cryptographic processing interceptor analyzes the response message data object using the reflection, queries the configuration information using a class name and/or a field name of the response message data object, determines whether cryptographic processing of the response message data object is required, the cryptographic processing including decryption and/or signature verification;
if the request message data object needs to be subjected to the cryptographic processing, the cryptographic processing interceptor carries out the cryptographic processing on the response message data object in the following manner:
analyzing each field of the response message data object by utilizing the reflection to obtain the type and the field name of each field;
determining whether decryption processing is required to be performed on the response message data object by using the configuration information, and if so, calling a password component to perform decryption processing on data in a field which is set by the configuration information and needs to be decrypted;
and determining whether signature verification processing is required to be performed on the response message data object by using the configuration information, if so, combining the data in all fields which are set by configuration and need signature verification to form data to be subjected to signature verification, then obtaining digital signature data from metadata of a call response or fields which store the digital signature data in the response message data object designated by the configuration information, then calling a password component to perform signature verification on the data to be subjected to signature verification formed by combining by using the obtained digital signature data, and if the signature verification is passed, allowing the request message to pass, and if the signature verification is not passed, switching to error processing.
5. The cryptographic processing method for gRPC data according to claim 4, characterized in that:
if the information data object can not be determined whether to carry out the password processing according to the class name and the field name of the information data object, the password processing interceptor further determines whether to carry out the password processing on the information data object according to the data in the field of the information data object designated by the configuration information; the message data objects include request message data objects and response message data objects.
6. The cryptographic processing method for gRPC data according to claim 5, characterized in that:
the encryption mode adopted for encrypting the data in the request message data object and the response message data object is stream encryption, and the decryption adopts a corresponding stream decryption mode, wherein the encryption processing interceptor forcedly converts the data of the non-byte string type into the data of the byte string type and then carries out encryption and decryption processing.
7. The cryptographic processing method for gRPC data of claim 6, wherein:
the crypto processing interceptor delivers an initialization vector for the stream encryption key stream via gRPC request, responsive metadata.
8. The cryptographic processing method for gRPC data of claim 6, wherein:
if the gRPC client and the server end do not use the keys for stream encryption, the password processing interceptor negotiates and transmits the keys for stream encryption through metadata of the gRPC call request and response, wherein mechanisms for negotiating and transmitting the keys for stream encryption comprise a symmetric key password mechanism and a public key password mechanism.
9. The cryptographic processing method for gRPC data according to claim 5, characterized in that:
and combining the data in the fields requiring signature and signature verification in the request message data object and the response message data object, wherein the combined data contains the names and the numerical values of the fields requiring signature and signature verification.
10. A cryptographic processing system for gRPC data based on the cryptographic processing method for gRPC data of any one of claims 1-9, characterized by:
the password processing system for gRPC data comprises a password processing interceptor and a password component, wherein the password component is used for providing password function call, and the password processing interceptor is used for carrying out password processing on data in the gRPC message data object according to configuration information by calling the password component; the cryptographic functions comprise encryption, decryption, signature and signature verification; the message data objects include request message data objects and response message data objects.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210703747.8A CN115174100B (en) | 2022-06-21 | 2022-06-21 | Password processing method and system for gRPC data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210703747.8A CN115174100B (en) | 2022-06-21 | 2022-06-21 | Password processing method and system for gRPC data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115174100A CN115174100A (en) | 2022-10-11 |
| CN115174100B true CN115174100B (en) | 2024-04-12 |
Family
ID=83486355
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210703747.8A Active CN115174100B (en) | 2022-06-21 | 2022-06-21 | Password processing method and system for gRPC data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115174100B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018000886A1 (en) * | 2016-07-01 | 2018-01-04 | 广州爱九游信息技术有限公司 | Application program communication processing system, apparatus, method, and client terminal, and server terminal |
| CN108337236A (en) * | 2017-12-28 | 2018-07-27 | 杭州马猴烧韭科技有限公司 | A kind of gRPC call methods and device based on Protobuf and HTTP/1.1 |
| CN110247759A (en) * | 2019-06-03 | 2019-09-17 | 武汉理工大学 | A kind of SM9 private key generates and application method and system |
| CN111132138A (en) * | 2019-12-06 | 2020-05-08 | 中国电子科技集团公司电子科学研究院 | Transparent communication protection method and device for mobile application program |
| CN111309374A (en) * | 2020-01-21 | 2020-06-19 | 苏州达家迎信息技术有限公司 | Micro-service system and service calling method in micro-service system |
| CN114462059A (en) * | 2021-12-30 | 2022-05-10 | 济南超级计算技术研究院 | Table field level encryption and security access control method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113647051B (en) * | 2019-01-28 | 2024-08-20 | 康奈尔克有限公司 | System and method for secure electronic data transmission |
-
2022
- 2022-06-21 CN CN202210703747.8A patent/CN115174100B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018000886A1 (en) * | 2016-07-01 | 2018-01-04 | 广州爱九游信息技术有限公司 | Application program communication processing system, apparatus, method, and client terminal, and server terminal |
| CN108337236A (en) * | 2017-12-28 | 2018-07-27 | 杭州马猴烧韭科技有限公司 | A kind of gRPC call methods and device based on Protobuf and HTTP/1.1 |
| CN110247759A (en) * | 2019-06-03 | 2019-09-17 | 武汉理工大学 | A kind of SM9 private key generates and application method and system |
| CN111132138A (en) * | 2019-12-06 | 2020-05-08 | 中国电子科技集团公司电子科学研究院 | Transparent communication protection method and device for mobile application program |
| CN111309374A (en) * | 2020-01-21 | 2020-06-19 | 苏州达家迎信息技术有限公司 | Micro-service system and service calling method in micro-service system |
| CN114462059A (en) * | 2021-12-30 | 2022-05-10 | 济南超级计算技术研究院 | Table field level encryption and security access control method and system |
Non-Patent Citations (3)
| Title |
|---|
| An improved feature extraction method for rolling bearing fault diagnosis based on MEMD and PE;Quan Liu et al.;POMR;20180831;全文 * |
| 基于Android平台短信的来源认证系统设计与实现;胡先祥;曹斌;;计算机应用与软件;20180215(02);全文 * |
| 基于JWT的分布式系统认证授权机制设计和实现;童敏等;合肥师范学院学报;20220531;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115174100A (en) | 2022-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101130415B1 (en) | A method and system for recovering password protected private data via a communication network without exposing the private data | |
| US7305548B2 (en) | Using atomic messaging to increase the security of transferring data across a network | |
| KR102619383B1 (en) | End-to-end double ratchet encryption using epoch key exchange | |
| JP3657396B2 (en) | Key management system, key management apparatus, information encryption apparatus, information decryption apparatus, and storage medium storing program | |
| US6628786B1 (en) | Distributed state random number generator and method for utilizing same | |
| EP3476078B1 (en) | Systems and methods for authenticating communications using a single message exchange and symmetric key | |
| US20110035582A1 (en) | Network authentication service system and method | |
| US20150207783A1 (en) | Encryption system using web browsers and untrusted web servers | |
| US20080209231A1 (en) | Contents Encryption Method, System and Method for Providing Contents Through Network Using the Encryption Method | |
| JPH05216411A (en) | Method and apparatus for observing network-safety ensuring policy in public key cryptograph system | |
| JP2020532177A (en) | Computer-implemented systems and methods for advanced data security, high-speed encryption, and transmission | |
| US20220345298A1 (en) | Systems and methods for providing signatureless, confidential and authentication of data during handshake for classical and quantum computing environments | |
| CN111953487B (en) | Key management system | |
| CN115174100B (en) | Password processing method and system for gRPC data | |
| CN114785527B (en) | Data transmission method, device, equipment and storage medium | |
| KR102406252B1 (en) | Method of securely communicating data | |
| CN112035820B (en) | Data analysis method used in Kerberos encryption environment | |
| US20240250815A1 (en) | Scalable key state for network encryption | |
| CN114125830B (en) | APP data encryption transmission method, device and medium | |
| Singh et al. | Peer to peer secure communication in mobile environment: A novel approach | |
| US20240250803A1 (en) | Cryptographic communication system, cryptographic communication device, cryptographic communication method, and cryptographic communication program | |
| US11979491B2 (en) | Transmission of secure information in a content distribution network | |
| CN116980128B (en) | Inter-application data transmission processing method and device | |
| CN113364580B (en) | Key management server, client, key distribution method, and key acquisition method | |
| WO2024057538A1 (en) | Server, authentication system, authentication method and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |