CN115801281A - Authorization method, electronic device, and computer-readable storage medium - Google Patents
Authorization method, electronic device, and computer-readable storage medium Download PDFInfo
- Publication number
- CN115801281A CN115801281A CN202211508694.0A CN202211508694A CN115801281A CN 115801281 A CN115801281 A CN 115801281A CN 202211508694 A CN202211508694 A CN 202211508694A CN 115801281 A CN115801281 A CN 115801281A
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- digital
- terminal
- authorization
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides an authorization method, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: configuring a plurality of types of digital certificates, wherein the digital certificates at least comprise a management type digital certificate and at least one type of common type digital certificate; issuing an authorization file to the terminal through the authority of the management digital certificate, and backing up the authorization file; acquiring an operation request reported by a terminal; verifying the validity of the first common digital certificate through the authorization file; under the condition that the first common digital certificate is legal, verifying the legality of the operation request through the first digital signature; and executing the operation corresponding to the operation request under the condition that the operation request is legal. According to the method, when the terminal authority needs to be changed, only the authority of the management-type digital certificate is needed to issue the authorization file to the terminal again, and the identity and the authority of each terminal are authenticated again according to the updated authorization file in the authentication stage, so that the flexibility of re-authorization when the terminal authority is changed is greatly improved.
Description
Technical Field
The present application relates to the field of online authorization technologies, and in particular, to an authorization method, an electronic device, and a computer-readable storage medium.
Background
Under the current trend of digital office, when an enterprise and public institution carries out digital office, a related digital management platform is often required to be built to manage complicated services, however, in the large-scale complicated digital management platform, single management is inevitably easy to occur in the management process, and all services are difficult to be taken into consideration, and multiple-person management easily causes disorderly phenomena such as unclear authority and multi-head management. It is very necessary to refine tasks and set multiple roles on the digital management platform to manage different services. Such as management of shopping malls, industrial parks or public streets, and the like, a plurality of roles like network managers, monitors, fire inspectors and the like are required to be managed together. However, how to grant corresponding operation permissions to multiple roles on the premise of ensuring security and authenticating identities of business personnel is very important, in the prior art, a digital certificate management system is built based on PKI (public Key I nfrastration, public Key infrastructure) mechanism needs to introduce a third party mechanism for authentication, and when the authority of business personnel changes, the authorization flexibility is low.
Disclosure of Invention
The main purpose of the embodiments of the present application is to provide an authorization method, an electronic device, and a computer-readable storage medium, which enable each type of digital certificate to correspond to different operation permissions by classifying the digital certificates, so as to grant corresponding operation permissions while performing identity authentication on a service terminal, and improve flexibility of re-authorization when a terminal permission is changed.
To achieve the above object, a first aspect of an embodiment of the present application provides an authorization method, including:
configuring a plurality of types of digital certificates, wherein the digital certificates at least comprise a management type digital certificate and a common type digital certificate, and the management type digital certificate corresponds to the authority of issuing an authorization file;
issuing an authorization file to at least one terminal through the authority of the management type digital certificate, and backing up the authorization file, wherein the authorization file comprises the common type digital certificate and a corresponding digital signature;
acquiring an operation request reported by a terminal, wherein the operation request carries a first common digital certificate and a first digital signature corresponding to the terminal;
verifying the validity of the first common digital certificate through the authorization file;
under the condition that the first common digital certificate is legal, verifying the legality of the operation request through the first digital signature;
and executing the operation corresponding to the operation request under the condition that the operation request is legal.
In some embodiments, the method further comprises:
and configuring a preset decryption module, wherein at least one of a first preset private key and a first preset public key is stored in the preset decryption module, the first preset private key is used for decrypting the PCK file, and the first preset public key is used for verifying the first digital signature.
In some embodiments, the method further comprises:
verifying the legality of the management digital certificate through a preset CA certificate;
and under the condition that the management digital certificate is legal, verifying the legality of the first common digital certificate through the authorization file.
In some embodiments, said verifying the validity of said first generic type digital certificate by said authorization file includes:
and determining the legality of the first common digital certificate according to the consistency of the common digital certificate stored in the authorization file and the first common digital certificate.
In some embodiments, the authorization file further includes a preset digest algorithm, the preset digest algorithm is used to generate a digest of the generic digital certificate, and the verifying the validity of the operation request through the digital signature includes:
generating a first abstract of the first common digital certificate through a preset abstract algorithm;
decrypting the first digital signature through a first preset public key to obtain a second abstract;
and determining the legality of the operation request according to the consistency of the first abstract and the second abstract.
In some embodiments, the method further comprises:
sending a certificate issuance request to a security center;
receiving a PCK file fed back by the security center in response to the certificate issuance request, wherein the PCK file is obtained by encrypting a P12 digital envelope by using the first preset public key;
decrypting the PCK file through a first preset private key to obtain the P12 digital envelope, wherein the P12 digital envelope at least comprises a management digital certificate and at least one type of the common digital certificate;
and extracting and storing various types of digital certificates from the P12 digital envelope.
In some embodiments, the digital certificate further includes an audit-type digital certificate, and the audit-type digital certificate corresponds to an operation right for viewing the terminal log information.
In some embodiments, the digital certificate includes at least a user entry or an extension entry, the method further comprising:
determining the type of the digital certificate through a user item in the digital certificate;
or
And determining the type of the digital certificate through the extension item in the digital certificate.
A second aspect of an embodiment of the present application provides an electronic device, including: memory, processor and computer program stored on the memory and executable on the processor, characterized in that the processor implements the authorization method as described in any of the embodiments of the first aspect when executing the computer program.
A third aspect of embodiments of the present application provides a computer-readable storage medium, wherein the computer-readable storage medium stores one or more programs, which are executable by one or more processors to implement the authorization method according to any one of the embodiments of the first aspect.
The authorization method, the electronic device and the computer-readable storage medium provided by the embodiment of the application comprise the following steps: configuring a plurality of types of digital certificates, wherein the digital certificates at least comprise management type digital certificates and common type digital certificates, and the management type digital certificates correspond to the authorities of issuing authorization files; issuing an authorization file to at least one terminal through the authority of the management type digital certificate, and backing up the authorization file, wherein the authorization file comprises the common type digital certificate and a corresponding digital signature; acquiring an operation request reported by a terminal, wherein the operation request carries a first common digital certificate and a first digital signature corresponding to the terminal; verifying the validity of the first common digital certificate through the authorization file; under the condition that the first common digital certificate is legal, verifying the legality of the operation request through the first digital signature; and executing the operation corresponding to the operation request under the condition that the operation request is legal. In the application, a plurality of types of digital certificates are configured in advance locally, wherein the plurality of types of digital certificates comprise a management type digital certificate and a plurality of types of common digital certificates, the management type digital certificate correspondingly issues the authority of an authorization file to a terminal, the terminal completes the confirmation of the terminal identity after acquiring the authorization file, when the terminal needs to execute a certain operation, an operation request is reported to a system, the operation request carries a first common type digital certificate corresponding to the terminal identity and a corresponding first digital signature, after the system receives the operation request, the legitimacy of the first common type digital certificate corresponding to the terminal is verified through the authorization file backed up by the system, if the operation request is legal, the terminal is authorized through the system, the legitimacy of the operation request is verified through the first digital signature, and if the operation request is verified to be legal, the operation request is sent by the terminal corresponding to the first common digital certificate, and the operation request can be executed. Based on the method provided by the embodiment of the application, when the terminal identity is changed and the terminal right needs to be modified, only the right of the management-type digital certificate is needed to issue the authorization file to each terminal again, and after the authorization file is issued again, the local backup authorization file is updated, so that if a certain terminal uses the first digital certificate identity reporting operation request before updating, the verification is failed, and based on the method, the flexibility of re-authorization during the terminal identity change is greatly improved on the premise of ensuring the reliability of the authorization trust chain.
Drawings
FIG. 1 is a flow chart of an authorization method provided by one embodiment of the present application;
FIG. 2 is a schematic diagram of an authorization method provided by one embodiment of the present application;
FIG. 3 is a sub-flow diagram of an authorization method provided by one embodiment of the present application;
FIG. 4 is a sub-flow diagram of an authorization method provided by one embodiment of the present application;
FIG. 5 is a sub-flow diagram of an authorization method provided by one embodiment of the present application;
FIG. 6 is a schematic diagram of an authorization method provided by one embodiment of the present application;
fig. 7 is a schematic diagram of an electronic device provided by an embodiment of the present application.
The accompanying drawings are included to provide a further understanding of the claimed subject matter and are incorporated in and constitute a part of this specification, illustrate embodiments of the subject matter and together with the description serve to explain the principles of the subject matter and not to limit the subject matter.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the application.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the embodiments of the disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The authorization method provided by the embodiment of the application can be applied to a terminal, can also be applied to a server side, and can also be software running in the terminal or the server side. In some embodiments, the terminal may be a smartphone, tablet, laptop, desktop computer, smart watch, or the like; the server side can be configured into an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and cloud servers for providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud functions, cloud storage, network service, cloud communication, middleware service, domain name service, security service, CDN (content delivery network) and big data and artificial intelligence platforms; the software may be an application or the like that implements the authorization method, but is not limited to the above form.
The disclosed embodiments are operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage media including memory storage devices.
Referring to fig. 1, fig. 1 is a method for authorization proposed in an embodiment of the present application, including but not limited to the following steps S101 to S106.
Step S101, configuring a plurality of types of digital certificates, wherein the digital certificates at least comprise a management type digital certificate and at least one type of common type digital certificate, and the management type digital certificate correspondingly signs the authority of an authorization file to a terminal;
step S102, issuing an authorization file to at least one terminal through the authority of the management type digital certificate, and backing up the authorization file, wherein the authorization file comprises a common type digital certificate and a corresponding digital signature;
step S103, acquiring an operation request reported by the terminal, wherein the operation request carries a first common digital certificate and a first digital signature corresponding to the terminal;
step S104, verifying the validity of the first common digital certificate through the authorization file;
step S105, under the condition that the first common digital certificate is legal, verifying the legality of the operation request through the first digital signature;
and step S106, executing the operation corresponding to the operation request under the condition that the operation request is legal.
In some embodiments, multiple types of digital certificates are configured in advance on the system side, including at least a management-type digital certificate and at least one common-type digital certificate, and it is understood that each digital certificate corresponds to a different terminal role, and thus a different right. It should be noted that, referring to fig. 2, the management-type digital certificate corresponds to the right of issuing the authorization file to the terminal, and after receiving the authorization file, the terminal determines the identity and the corresponding right according to the authorization file.
In some embodiments, after determining the digital certificate to be issued based on the service requirement, the system side packages the digital certificate and the corresponding digital signature as an authorization file, issues the authorization file to at least one terminal through the authority of the management-type digital certificate, and backs up the authorization file in the system local so as to gradually verify the validity of the operation request based on the authorization file after subsequently receiving the operation request reported by the terminal.
In some embodiments, after receiving the authorization file and determining the identity of the terminal and the corresponding authority, the terminal reports an operation request to the system, and specifically, the operation request carries a first generic digital certificate used for authenticating the identity of the terminal and a first digital signature used for verifying whether the operation request is sent by the terminal.
It can be understood that, in order to prevent the system from performing an erroneous operation after receiving an operation request reported by an illegal terminal, the terminal carries a first common digital certificate for certifying the identity of the terminal in the reported operation request, and after receiving the operation request reported by the terminal, the system firstly verifies the validity of the first common digital certificate through a locally backed-up authorization file, so as to verify the identity of the terminal, specifically, various common digital certificates issued to the terminal by the system are stored in the backed-up authorization file, and by comparing whether the first common digital certificate is the same as the common digital certificate stored in the authorization file, if so, it is indicated that the first common digital certificate is signed by the system to the terminal after being authenticated by a management digital certificate, and the first common digital certificate is legal; if the first common digital certificate is not authenticated by the management digital certificate or the first management digital certificate is tampered, the first common digital certificate is illegal, the system does not authorize the terminal, the terminal is an illegal terminal, and based on the fact, the operation request reported by the terminal is directly refused to be executed.
In the case that the first general digital certificate is legal, that is, it is stated that the terminal is authorized through the system, it can be understood that, in order to prevent a network attacker from illegally controlling the terminal to upload an operation request message through trojan viruses or other means, the terminal needs to sign the operation request message after generating the operation request message, specifically, the terminal can generate the digest of the first general digital certificate through a preset digest algorithm, and encrypt the digest through a pre-configured private key to generate a digital signature corresponding to the first general digital certificate of the terminal, and it can be understood that, since the network attacker cannot know the used digest algorithm and the preset private key in advance, the network attacker cannot generate a correct digital signature. Based on this, after the system receives the operation request reported by the terminal and determines that the terminal is legal, the system also needs to check the signature of the operation request to prove that the operation request is reported by a legal operator through the terminal. When the verification passes, the operation request can be proved to be completely legal, and the system can execute the operation request.
In some embodiments, the authorization file has a timestamp or a monotonic sequence number to support dynamic update of the authorization file, and the verifier only approves the largest monotonic sequence number, on the basis, if the authorization file is tampered, the timestamp or the monotonic sequence number is also updated, and the verifier finds that the authorization file is tampered during verification, so that the verification fails, and rejects the authorization, and on the basis, the reliability of the trust chain is further improved.
In the embodiment of the application, multiple types of digital certificates are configured in advance locally, wherein the multiple types of digital certificates include a management type digital certificate and multiple types of common digital certificates, the management type digital certificate correspondingly issues the authority of an authorization file to a terminal, the terminal completes the confirmation of the terminal identity after acquiring the authorization file, when the terminal needs to execute a certain operation, an operation request is reported to a system, the operation request carries a first common type digital certificate corresponding to the terminal identity and a corresponding first digital signature, after the system receives the operation request, the legitimacy of the first common type digital certificate corresponding to the terminal is verified through the authorization file backed up by the system, if the operation request is legal, the terminal is authorized through the system, the legitimacy of the operation request is verified through the first digital signature, and if the operation request is verified to be legal, the operation request is sent by the terminal corresponding to the first common digital certificate, and can be executed. Based on the method provided by the embodiment of the application, when the terminal identity is changed and the terminal rights need to be modified, only the rights of the management digital certificate need to be used for issuing the authorization files to each terminal again, and after the authorization files are issued again, the local backup authorization files are updated accordingly.
In some embodiments, referring to fig. 3, the authorization method further includes, but is not limited to, the following steps S301 to S303.
Step S301, verifying the legality of the management digital certificate through a preset CA certificate;
step S302, under the condition that the management digital certificate is legal, the legality of the first common digital certificate is verified through the authorization file.
It can be understood that, the third party certification authority provides the CA certification service to certify the validity of the management digital certificate, and the management digital certificate issued by the CA certification authority can reduce the risk that the network attacker logs in the system by using the forged management digital certificate, thereby certifying the illegal first common digital certificate. Specifically, the management digital certificate can be verified through the corresponding digital signature of the management digital certificate, the digital signature is obtained by performing digest on the management digital certificate through a preset digest algorithm and then performing signature through a private key, the signature is decrypted through a public key provided by a preset CA (certificate authority) and is reduced into a digest, and then the digest of the management digital certificate is generated through the same digest algorithm.
In some embodiments, referring to fig. 4, the authorization method further includes, but is not limited to, the following steps S401 to S403.
Step S401, generating a first abstract of a first common digital certificate through a preset abstract algorithm;
step S402, decrypting the first digital signature through a first preset public key to obtain a second abstract;
and S403, determining the legality of the operation request according to the consistency of the first abstract and the second abstract.
It can be understood that, the authorization file further stores a preset digest algorithm, the preset digest algorithm is a digest algorithm used when a corresponding digital signature is generated through a first common digital certificate, the digital signature is obtained after the digest algorithm is generated through the preset digest algorithm and the private key is used for encryption, after the system receives the operation request, the system decrypts the first signature carried in the operation request through the public key, so as to obtain a corresponding second digest, and then compares the second digest with the first digest of the first common digital certificate generated through the preset digest algorithm, if the first digest is completely the same as the second digest, it is indicated that the first digital signature is legal, and the operation request is reported after being authenticated and signed by the terminal, and can be executed. If the first abstract is different from the second abstract, the first digital signature is illegal, the operation request does not pass the terminal authentication, and the system refuses to execute the operation request.
Referring to fig. 5, in some embodiments, the authorization method further includes, but is not limited to, the following steps S501 to S504.
Step S501, a certificate issuing request is sent to a security center;
step S502, receiving a PCK file fed back by the security center in response to the certificate issuing request, wherein the PCK file is obtained by encrypting the P12 digital envelope by using a first preset public key;
step S503, decrypting the PCK file through a first preset private key to obtain a P12 digital envelope, wherein the P12 digital envelope at least comprises a management digital certificate and at least one common digital certificate;
step S504, various types of digital certificates are extracted from the P12 digital envelope and stored.
In some embodiments, the system may send the certificate issuance request over a communication channel established with the security center, such as by mail or a communication link established between the system and the security center dedicated to sending the certificate issuance request.
In some embodiments, after receiving a certificate issuance request from a system, a security center determines the type of a digital certificate to be issued according to the certificate issuance request, encapsulates various digital certificates into a P12 digital envelope, encrypts the P12 digital envelope to obtain a PCK file, and issues the PCK file to the system in the form of a mail or a communication link which is established between the PCK file and the system and is dedicated to issuing the PCK file, wherein the digital certificate at least comprises a management-class digital certificate and a common-class digital certificate.
In some embodiments, the USB Dong l e is configured in advance in the system, the first preset private key is stored in the system, the PCK file is decrypted by the first preset private key after the PCK file is received, and the P12 digital envelope is obtained, it can be understood that, in order to ensure that the digital certificate is not leaked due to hijacking of a data packet by a hacker under network attack or the network attacker can use a pre-backed forged digital certificate for authorization and the like due to the fact that the network attacker can use the pre-backed forged digital certificate in the process of issuing the P12 digital envelope, the PCK file can be generated by encrypting the P12 digital envelope by using the preset public key in the security center, the first preset private key corresponding to the preset public key of the security center is configured in advance in the system, after the system receives the PCK file, the PCK file is decrypted by using the first preset private key, so that the P12 digital certificate is restored and the digital certificate therein is obtained, specifically, the first preset private key and the private key are used in the security center, so that the PCK file cannot be decrypted by using the asymmetric private key in the process, and the PCK file cannot be decrypted by using the first preset public key.
In the embodiment of the application, a certificate issuance request is reported to a security center, and a PCK file fed back by the security center based on the certificate issuance request is received, in the process, a digital certificate is packaged into a P12 digital envelope by the security center, the P12 digital envelope is encrypted by a first preset public key to generate the PCK file and then is issued to a system, the PCK file is decrypted by a first preset private key which is pre-configured in the system and corresponds to the first preset public key after the PCK file is received by the system, and based on the asymmetric encryption form, the digital certificate is guaranteed to be issued to the system from the security center without worrying about leakage of the digital certificate even if being hijacked, so that the security in the issuing process of the digital certificate is guaranteed.
In some embodiments, a third-party organization is introduced as a security center, and provides a CA (electronic authentication service, which is an activity for providing authenticity and reliability verification for all parties related to an electronic signature) authentication service, so that a CA private key is obtained, various digital certificates are issued through the CA private key, then various digital certificates are stored locally in the system, and when a digital certificate is subsequently issued, the CA authentication service is not required to be requested from the third-party organization, and only various digital certificates and digital signatures need to be packaged into authorization files and issued to all terminals, so that one-time deployment and multiple-time use are realized, the cost is reduced, and the authorization flexibility is greatly improved.
It is understood that, in some embodiments, the preset decryption module may be configured in advance at the system, and at least one of a first preset public key and a first preset private key is stored in the preset decryption module, the first preset private key is used for decrypting the PCK file and restoring the PCK file into a P12 digital envelope, and the first preset public key is used for verifying the digital signature. The method comprises the steps that a preset decryption module which stores a first preset private key and a first preset public key is configured in advance at a system, in the process of issuing a certificate, a security center packages the issued digital certificate into a P12 digital envelope, then encrypts the digital envelope by using the public key to obtain a PCK file, the system decrypts the PCK file by using the first preset private key after receiving the PCK file and restores the PCK file into the P12 digital envelope, and in the process, even if the PCK file is hijacked by a network attacker in the transmission process, the PCK file cannot be decrypted and restored into the P12 envelope because the network attacker does not have the first preset private key, and the security of issuing the certificate is ensured by using the public key for encryption in the process of issuing the certificate based on the private key decryption; in the authorization verification process, because the operation request reported by the terminal carries a digital signature corresponding to the operation request, based on an asymmetric encryption mode, the operation request is signed by a first preset private key when being uploaded by the terminal, and the signature is verified by using a first preset public key at the system side.
In some embodiments, referring to fig. 2, the digital certificate further includes an audit digital certificate, the audit digital certificate corresponds to an operation authority for checking system log information, and based on this, the audit digital certificate is used to set an external management terminal to audit the system, so as to construct a more complete trust chain.
In some embodiments, the digital certificate includes at least a user item or an extension item, and the type of the digital certificate is determined by the user item in the digital certificate or by the extension item in the digital certificate.
Referring to fig. 6, an embodiment of an authorization method based on the embodiment of the present application is as follows, taking a public large-screen display management system as an example, and a business requirement is to limit that a public large screen can only play approved legal materials. Based on the requirement, four types of service terminal roles can be set, namely an uploading terminal, an auditing terminal, a management terminal and an auditing terminal.
Firstly, a system and a security center are respectively provided with a decryption USB dong l e (a hardware password module with a USB interface) which stores a public and private key pair, wherein the public and private key pair is arranged in the system and the security center and can carry out encryption and decryption and signature verification on data, and the security center is provided with a signing and issuing USB dong l e which stores a CA private key. It can be understood that the configuration is only needed when the authorization is performed for the first time, and the configuration of issuing the USB Dong l e and decrypting the USB Dong l e can be reused for many times after the first authorization is completed.
The system sends a certificate issuing request of four types of digital certificates, namely an audit type, a management type and an uploading type, to the security center. The security center receives the request, signs and issues various digital certificates through a CA private key, packages the digital certificates into a P12 digital envelope, encrypts the P12 digital envelope through a first preset public key stored in a decryption USB Dong l e to generate a PCK file, and issues the PCK file to the system. After receiving the PCK file, the system decrypts the PCK file through a first preset private key stored in the USB Dong l e, restores the PCK file into a P12 digital envelope, and stores the P12 digital envelope in the local, and the management digital certificate holder, namely the management terminal, distributes various digital certificates to corresponding service terminals, thereby completing the process of distributing the digital certificates. It will be appreciated that the above embodiments are examples of the first use of the system for authorisation, requiring a certificate issue request to be sent to a security centre.
After receiving the digital certificate issued by the security center, the system issues authorization files to the auditing terminal and the uploading terminal through the management digital certificate, specifically, the system issues the authorization file of the uploading material authority to the uploading terminal and issues the authorization file of the auditing material authority to the auditing terminal. After the uploading terminal uploads the service material, the auditing terminal audits the service material, after the audit is passed, the auditing terminal uses a private key corresponding to an auditing terminal digital certificate to digitally sign the material data, the audited service material and a first common digital certificate corresponding to the auditing terminal are packaged into an operation request message and submitted to a system, after the system receives the material, the legitimacy of a management terminal digital certificate is verified through a CA root certificate, then the legitimacy of the auditing terminal digital certificate is verified according to an authorization file, finally the service material is verified according to the digital signature corresponding to the auditing terminal digital certificate, if the verification is passed, the management terminal is authenticated by the CA certificate, the auditing terminal is authenticated by the management terminal, the material is audited by the auditing terminal and can be played, a complete trust chain is constructed based on the method, and when the identity of the auditing terminal is changed, the authorization file formed by other types of common digital certificates is re-signed to the auditing terminal only through the management digital certificate, and the flexibility of the authorization chain is improved on the premise of ensuring the safety of changing the trust chain.
The embodiment of the application also discloses the electronic equipment 700.
Specifically, the electronic device 700 includes: a memory 710 and one or more processors 720, one processor 720 and memory 710 being illustrated in FIG. 7. The processor 720 and the memory 710 may be connected by a bus 730 or otherwise, as exemplified by the bus connection in fig. 7.
The memory 710, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs and non-transitory computer executable programs, such as the authorization methods described in the embodiments of the present application. The processor 720 implements the authorization method in the embodiments of the present application described above by running non-transitory software programs and programs stored in the memory 710. For example, the above steps S101 to S106 in fig. 1, steps S301 to S302 in fig. 3, steps S401 to S403 in fig. 4, and steps S501 to S504 in fig. 5 are performed.
The memory 710 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data and the like necessary to execute the authorization method in the embodiment of the present application described above. Further, the memory 710 may include high speed random access memory and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the electronic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The non-transitory software programs and programs needed to implement the authorization methods in the embodiments of the present application described above are stored in the memory 710 and, when executed by one or more processors, perform the authorization methods in the embodiments of the present application described above.
Furthermore, the present application also provides a computer-readable storage medium, which stores a computer-executable program, which is executed by one or more control processors, for example, to execute steps S101 to S106 in fig. 1, steps S301 to S302 in fig. 3, steps S401 to S403 in fig. 4, and steps S501 to S504 in fig. 5.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The embodiments described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute a limitation to the technical solutions provided in the embodiments of the present application, and it is obvious to those skilled in the art that the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems with the evolution of technology and the emergence of new application scenarios.
It will be appreciated by those skilled in the art that the embodiments shown in fig. 1 to 7 do not constitute a limitation of the embodiments of the present application, and that more or less components than those shown in the figures may be included, or certain components may be combined, or different components may be included.
It should be understood that, in this application, "at least one" means one or more, "a plurality" means two or more. "and/or" for describing an association relationship of associated objects, indicating that there may be three relationships, e.g., "a and/or B" may indicate: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
The preferred embodiments of the present application have been described above with reference to the accompanying drawings, and the scope of the claims of the embodiments of the present application is not limited thereby. Any modifications, equivalents and improvements that may occur to those skilled in the art without departing from the scope and spirit of the embodiments of the present application are intended to be within the scope of the claims of the embodiments of the present application.
Claims (10)
1. A method of authorization, the method comprising:
configuring a plurality of types of digital certificates, wherein the digital certificates at least comprise management type digital certificates and at least one type of common type digital certificates, and the management type digital certificates correspond to the authority of issuing authorization files to the terminal;
issuing an authorization file to at least one terminal through the authority of the management type digital certificate, and backing up the authorization file, wherein the authorization file comprises the common type digital certificate and a corresponding digital signature;
acquiring an operation request reported by a terminal, wherein the operation request carries a first common digital certificate and a first digital signature corresponding to the terminal;
verifying the validity of the first common digital certificate through the authorization file;
under the condition that the first common digital certificate is legal, verifying the legality of the operation request through the first digital signature;
and executing the operation corresponding to the operation request under the condition that the operation request is legal.
2. The method of claim 1, further comprising:
and configuring a preset decryption module, wherein at least one of a first preset private key and a first preset public key is stored in the preset decryption module, the first preset private key is used for decrypting the PCK file, and the first preset public key is used for verifying the first digital signature.
3. The method of claim 1, further comprising:
verifying the legality of the management digital certificate through a preset CA certificate;
and under the condition that the management digital certificate is legal, verifying the legality of the first common digital certificate through the authorization file.
4. The method according to claim 2, wherein said verifying the validity of the first generic type digital certificate by the authorization file comprises:
and determining the legality of the first common digital certificate according to the consistency of the common digital certificate stored in the authorization file and the first common digital certificate.
5. The method of claim 2, wherein the authorization file further comprises a preset digest algorithm, the preset digest algorithm is used for generating a digest of the generic digital certificate, and the verifying the validity of the operation request through the digital signature comprises:
generating a first abstract of the first common digital certificate through a preset abstract algorithm;
decrypting the first digital signature through a first preset public key to obtain a second abstract;
and determining the legality of the operation request according to the consistency of the first abstract and the second abstract.
6. The method of claim 2, wherein configuring the plurality of types of digital certificates comprises:
sending a certificate issuance request to a security center;
receiving a PCK file fed back by the security center in response to the certificate issuance request, wherein the PCK file is obtained by encrypting a P12 digital envelope by using the first preset public key;
decrypting the PCK file through a first preset private key to obtain the P12 digital envelope, wherein the P12 digital envelope at least comprises a management digital certificate and at least one type of the common digital certificate;
and extracting and storing various types of digital certificates from the P12 digital envelope.
7. The method according to any one of claims 1 to 6, wherein the digital certificate further comprises an audit-type digital certificate, and the audit-type digital certificate corresponds to an operation authority for viewing the terminal log information.
8. The method of any of claims 1-6, the digital certificate including at least a user item or an extension item, the method further comprising:
determining the type of the digital certificate through a user item in the digital certificate;
or
And determining the type of the digital certificate through the extension item in the digital certificate.
9. An electronic device, comprising: memory, processor and computer program stored on the memory and executable on the processor, characterized in that the processor implements the authorization method according to any of claims 1 to 8 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the authorization method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211508694.0A CN115801281A (en) | 2022-11-29 | 2022-11-29 | Authorization method, electronic device, and computer-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211508694.0A CN115801281A (en) | 2022-11-29 | 2022-11-29 | Authorization method, electronic device, and computer-readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115801281A true CN115801281A (en) | 2023-03-14 |
Family
ID=85442862
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211508694.0A Pending CN115801281A (en) | 2022-11-29 | 2022-11-29 | Authorization method, electronic device, and computer-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115801281A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117354069A (en) * | 2023-12-06 | 2024-01-05 | 自然资源陕西省卫星应用技术中心 | Remote sensing data management system and method based on data lake |
-
2022
- 2022-11-29 CN CN202211508694.0A patent/CN115801281A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117354069A (en) * | 2023-12-06 | 2024-01-05 | 自然资源陕西省卫星应用技术中心 | Remote sensing data management system and method based on data lake |
| CN117354069B (en) * | 2023-12-06 | 2024-02-13 | 自然资源陕西省卫星应用技术中心 | Remote sensing data management system and method based on data lake |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7280396B2 (en) | Secure provisioning and management of equipment | |
| CN109309565B (en) | Security authentication method and device | |
| CN110784491B (en) | Internet of things safety management system | |
| CN108933667B (en) | Management method and management system of public key certificate based on block chain | |
| US9219607B2 (en) | Provisioning sensitive data into third party | |
| US7600123B2 (en) | Certificate registration after issuance for secure communication | |
| CA2877839C (en) | Secure key storage systems, methods and apparatuses | |
| KR101530809B1 (en) | Dynamic platform reconfiguration by multi-tenant service providers | |
| CN110611657A (en) | File stream processing method, device and system based on block chain | |
| CN106936588B (en) | Hosting method, device and system of hardware control lock | |
| CN105872848B (en) | A kind of credible mutual authentication method suitable for asymmetric resource environment | |
| CN112528250A (en) | System and method for realizing data privacy and digital identity through block chain | |
| CN114697040B (en) | Electronic signature method and system based on symmetric key | |
| US11258601B1 (en) | Systems and methods for distributed digital rights management with decentralized key management | |
| JP2017152880A (en) | Authentication system, key processing coordination method, and key processing coordination program | |
| CN111355591A (en) | Block chain account safety management method based on real-name authentication technology | |
| CN113271207A (en) | Escrow key using method and system based on mobile electronic signature, computer equipment and storage medium | |
| CN110445782B (en) | Multimedia safe broadcast control system and method | |
| CN115473648A (en) | Certificate signing and issuing system and related equipment | |
| CN111654503A (en) | Remote control method, device, equipment and storage medium | |
| CN114760071A (en) | Zero-knowledge proof based cross-domain digital certificate management method, system and medium | |
| CN115801281A (en) | Authorization method, electronic device, and computer-readable storage medium | |
| WO2012120313A1 (en) | A cryptographic system and method | |
| JP2014022920A (en) | Electronic signature system, electronic signature method, and electronic signature program | |
| KR20130100032A (en) | Method for distributting smartphone application by using code-signing scheme |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |