CN117118750B - Data sharing method and device based on white-box password, electronic equipment and medium - Google Patents

Data sharing method and device based on white-box password, electronic equipment and medium Download PDF

Info

Publication number
CN117118750B
CN117118750B CN202311368306.8A CN202311368306A CN117118750B CN 117118750 B CN117118750 B CN 117118750B CN 202311368306 A CN202311368306 A CN 202311368306A CN 117118750 B CN117118750 B CN 117118750B
Authority
CN
China
Prior art keywords
access
information
user
determining
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311368306.8A
Other languages
Chinese (zh)
Other versions
CN117118750A (en
Inventor
张彦俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongshan Polytechnic
Original Assignee
Zhongshan Polytechnic
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongshan Polytechnic filed Critical Zhongshan Polytechnic
Priority to CN202311368306.8A priority Critical patent/CN117118750B/en
Publication of CN117118750A publication Critical patent/CN117118750A/en
Application granted granted Critical
Publication of CN117118750B publication Critical patent/CN117118750B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a data sharing method, a device, electronic equipment and a medium based on a white-box password, wherein the method comprises the steps of obtaining first identity verification information corresponding to a user according to access request information when the access request information of the user when accessing a shared database is detected, and obtaining a first matching result; when the access address is a prestored access address, acquiring a dynamic key corresponding to the access time of the user; determining an access program of a user when accessing the shared database according to the access request information, and determining a preset program identifier from the access program; determining target encryption verification information corresponding to a preset program identifier according to the current access time, and restoring the target encryption verification information according to the dynamic key to obtain second identity verification information; obtaining a second matching result according to the pre-stored second identity information; and according to the first matching result and the second matching result, carrying out identity authentication on the user. The method and the device can improve safety in the data sharing process.

Description

Data sharing method and device based on white-box password, electronic equipment and medium
Technical Field
The present disclosure relates to the field of secure encryption technologies, and in particular, to a method, an apparatus, an electronic device, and a medium for sharing data based on a white-box password.
Background
With the development of the information age, data sharing is increasingly and widely applied to various scenes, for example, a shared database containing network assets of different departments and different network domains can be established between different departments and different network domains, and visitors belonging to different departments or different network domains can fully utilize the existing data resources in the shared database through the shared database without repeated labor of collecting a large amount of data, collecting data and the like of the visitors.
However, there may be a large number of untrusted terminals in the cross-industry business system, and when the untrusted terminals access the shared database, the security of the shared database may be challenged, so that in order to ensure the security of the shared data in the shared database, a secure data sharing method is needed.
Disclosure of Invention
In order to improve security in a data sharing process, the application provides a data sharing method, device, electronic equipment and medium based on white-box passwords.
In a first aspect, the present application provides a method for sharing data based on a white-box password, which adopts the following technical scheme:
A data sharing method based on white-box passwords comprises the following steps:
when access request information of a user accessing a shared database is detected, acquiring first authentication information corresponding to the user according to the access request information, wherein the first authentication information comprises a user account number and a user password;
matching the first authentication information with pre-stored first authentication information to obtain a first matching result;
determining an access address and access time of the user according to the access request information, and acquiring a dynamic key corresponding to the user at the access time when the access address is a prestored access address;
determining an access program of the user when accessing the shared database according to the access request information, and determining a preset program identifier from the access program;
determining target encryption verification information corresponding to the preset program identifier according to the access time and the corresponding relation between the program identifier and the encryption verification information, and restoring the target encryption verification information according to the dynamic key to obtain second identity verification information;
matching the second identity verification information with pre-stored second identity information to obtain a second matching result;
And carrying out identity verification on the user according to the first matching result and the second matching result, and allowing the user to access a shared database if the identity verification is successful.
By adopting the technical scheme, the loss of data leakage caused by stealing of the user account passwords can be reduced by carrying out double identity authentication on the users accessing the shared database, whether the access addresses of the users are prestored access addresses or not is judged by using the account numbers and the passwords, the access addresses are limited to prevent unauthorized users or hackers from accessing the shared database in the form of stealing the account passwords, so that the safety of data in the shared database can be ensured.
In one possible implementation, the dynamic key forming process includes:
when the user is a new user, integrating the access address and account information of the user to obtain integrated information, and converting the format of the integrated information to obtain character information, wherein the account information comprises a user account and a user password;
performing expression conversion on the character information according to a preset conversion frequency to obtain corresponding encryption verification information, and recording a conversion rule corresponding to each expression conversion process;
and forming a dynamic key according to the preset conversion frequency and a conversion rule corresponding to each conversion.
By adopting the technical scheme, the access address and account information of the user are subjected to multi-layer encryption processing through character conversion and expression conversion to obtain regular information, the security of the encrypted information is convenient to improve through multi-layer encryption, and as the same character information can be converted by adopting a plurality of different expressions, namely, the same character information corresponds to a plurality of different conversion rules when the expression conversion is carried out, the identity verification is carried out through a dynamic key formed by switching the conversion rules corresponding to the current moment through a preset frequency, rather than the identity verification carried out by adopting a fixed key, the security and the accuracy during the identity verification are improved.
In one possible implementation manner, after determining the access address and the access time of the user, the method further includes:
when the access address is not a pre-stored access address, generating a biological feature acquisition prompt message, and feeding back the biological feature acquisition prompt message to a terminal device corresponding to the user, wherein the biological feature acquisition prompt message comprises at least one biological feature to be acquired;
acquiring the biological characteristics uploaded by the user, and matching the biological characteristics with pre-stored biological characteristics corresponding to the user to obtain a biological characteristic matching result;
and carrying out identity verification on the user according to the first matching result and the biological characteristic matching result, and allowing the user to access a shared database if the identity verification is successful.
By adopting the technical scheme, when the user is detected not to use the pre-stored access address for access, the user can log in different places, or the account information of the user can be stolen, and a hacker or other unauthorized user can log in different places, at the moment, the user logging in the account needs to be subjected to biological feature extraction, the identity of the user is verified through the extracted biological feature, and the identity verification can effectively prevent impersonation and counterfeiting by using the biological feature because the biological feature of the user is unique.
In one possible implementation manner, before the generating the biometric acquisition prompt information, the method further includes:
according to the historical login information, determining each remote login address corresponding to the user account in a first preset time period and historical remote login time corresponding to each remote login address;
according to the historical biological verification information, determining a historical biological feature matching result corresponding to the different-place login address at each historical different-place login time, wherein the historical biological feature matching result comprises matching and non-matching;
counting the number of the matched result of the historical biological feature corresponding to each remote login address in the first preset time period;
determining the address type of the remote login address according to the result number and a preset number threshold, wherein the address type comprises a trusted address and an untrusted address;
and determining the biological feature identification quantity corresponding to the address type according to the corresponding relation between the address type and the biological feature identification quantity.
By adopting the technical scheme, when the quantity of the biological characteristics to be acquired in the biological characteristic acquisition instruction is determined, the quantity of the biological characteristics to be acquired can be determined through the address type of the remote login address, when the address type is the trusted address, the security level of the remote login address is higher, the quantity of the biological characteristics to be acquired can be reduced at the moment, so that the data processing rate is convenient to improve, when the address type is the untrusted address, the security level of the remote login address is lower, the quantity of the biological characteristics to be acquired can be increased at the moment, and the accuracy of identity verification is convenient to improve.
In one possible implementation, the method further includes:
acquiring the number of the different-place login addresses corresponding to each user account in a second preset time period according to the historical login information;
determining the user account number with the number of the different-place login addresses exceeding a preset threshold value as an abnormal account number;
according to the historical access data, determining the latest historical access data when the abnormal account logs in by adopting a pre-stored access address;
determining a random value according to a random number algorithm;
acquiring a link address corresponding to the latest historical access data, and determining an associated account number from the link address according to a random value;
and sending the associated account number to the terminal equipment corresponding to the pre-stored access address.
By adopting the technical scheme, when the user account is logged in different places for multiple times and the addresses logged in different places at each time are different, the risk of the user account is represented, at the moment, the security in the access process is conveniently improved by generating the associated account of the abnormal account and accessing the shared database through the associated account, the random determination is carried out according to the link address corresponding to the data accessed when the abnormal account is accessed to the shared database last time when the associated account is determined, and the association account randomly generated through the link address has large difference with the original user account, so that a relevant hacker or attacker is difficult to think of the association account according to the original user account, and the security when the shared database is accessed by the association account is conveniently improved.
In one possible implementation manner, after the authenticating the user according to the first matching result and the second matching result, the method further includes:
if the identity verification of the user is successful, the access requirement information of the user is obtained, wherein the access requirement information comprises an information identifier to be accessed and an operation type to be accessed, and the operation type to be accessed comprises checking and editing;
determining an access demand level according to the access demand information;
determining an access verification instruction according to the access demand level, and feeding the access verification instruction back to the terminal equipment logging in the user account, wherein the access verification instruction is used for representing a verification identifier to be obtained;
after receiving the access verification identification uploaded by the user, matching the access verification identification with a pre-stored access verification identification corresponding to the access verification instruction to obtain an access verification matching value;
and when the access verification matching value is higher than a preset access verification matching value, allowing the user to access the shared database according to the access requirement information.
By adopting the technical scheme, when the data with higher security level is required to be accessed, the data is conveniently protected by performing access verification on the visitor, the access verification instructions corresponding to the data with different security levels are different, namely the access verification requirements corresponding to the data with different security levels are different, the verification requirements corresponding to each data are determined according to the access requirement level corresponding to each data, and the accuracy of determining the access verification matching result is convenient to improve.
In one possible implementation manner, the determining an access requirement level according to the access requirement information includes:
determining the number of times of abnormal access of the to-be-accessed demand information corresponding to the to-be-accessed information identifier in a third preset time period according to the historical abnormal data;
determining a target first weight of the to-be-accessed demand information according to the abnormal access times and the corresponding relation between the abnormal access times and the first preset weight;
determining an identification operation type of the to-be-accessed demand information according to the to-be-accessed information identification and the to-be-accessed operation type, and determining a target second weight of the to-be-accessed demand information according to a corresponding relation between the identification operation type and the second preset weight;
determining a target weight of the to-be-accessed demand information according to the target first weight and the target second weight of the to-be-accessed demand information, and determining an access demand level corresponding to the target weight according to the corresponding relation between the target weight and the access demand level.
By adopting the technical scheme, the security level of the information to be accessed is determined by counting the abnormal times in the historical access process of the information to be accessed, and as the access levels corresponding to different information identifiers to be accessed are different, the access levels corresponding to different operation types are also different, and the access level of the information to be accessed is determined jointly by combining the information identifiers to be accessed with the operation types needing to operate the information to be accessed, so that the accuracy in determining the access requirement level is convenient to improve.
In a second aspect, the present application provides a data sharing device based on a white-box password, which adopts the following technical scheme:
a white-box password-based data sharing apparatus comprising:
the system comprises a first identity verification information acquisition module, a second identity verification information acquisition module and a user password acquisition module, wherein the first identity verification information acquisition module is used for acquiring first identity verification information corresponding to a user according to access request information when the access request information of the user when the user accesses a shared database is detected, and the first identity verification information comprises a user account number and the user password;
a first matching result determining module, configured to match the first authentication information with pre-stored first authentication information, to obtain a first matching result;
the dynamic key acquisition module is used for determining the access address and the access time of the user according to the access request information, and acquiring a dynamic key corresponding to the access time of the user when the access address is a prestored access address;
the program identification determining module is used for determining an access program of the user when accessing the shared database according to the access request information and determining a preset program identification from the access program;
a second identity verification information determining module, configured to determine target encryption verification information corresponding to the preset program identifier according to the access time and a corresponding relationship between the program identifier and the encryption verification information, and restore the target encryption verification information according to the dynamic key to obtain second identity verification information;
A second matching result determining module, configured to match the second authentication information with pre-stored second identity information, to obtain a second matching result;
and the identity verification module is used for carrying out identity verification on the user according to the first matching result and the second matching result, and if the identity verification is successful, the user is allowed to access the shared database.
By adopting the technical scheme, the loss of data leakage caused by stealing of the user account passwords can be reduced by carrying out double identity authentication on the users accessing the shared database, whether the access addresses of the users are prestored access addresses or not is judged by using the account numbers and the passwords, the access addresses are limited to prevent unauthorized users or hackers from accessing the shared database in the form of stealing the account passwords, so that the safety of data in the shared database can be ensured.
In one possible implementation, the apparatus further includes:
the system comprises an integration information module, a user identification module and a user password module, wherein the integration information module is used for integrating an access address of the user and account information to obtain integration information when the user is a new user, and converting the format of the integration information to obtain character information, and the account information comprises a user account and a user password;
the expression conversion module is used for carrying out expression conversion on the character information according to a preset conversion frequency to obtain corresponding encryption verification information, and recording a conversion rule corresponding to each expression conversion process;
and the dynamic key determining module is used for forming a dynamic key according to the preset conversion frequency and the conversion rule corresponding to each conversion.
In one possible implementation, the apparatus further includes:
the system comprises a biological feature extraction module, a user identification module and a user identification module, wherein the biological feature extraction module is used for generating biological feature acquisition prompt information when the access address is not a pre-stored access address, and feeding the biological feature acquisition prompt information back to terminal equipment corresponding to the user, and the biological feature acquisition prompt information comprises at least one biological feature to be acquired;
the biological feature matching module is used for acquiring the biological feature uploaded by the user, matching the biological feature with the prestored biological feature corresponding to the user, and obtaining a biological feature matching result;
And the biological verification module is used for carrying out identity verification on the user according to the first matching result and the biological feature matching result, and if the identity verification is successful, the user is allowed to access the shared database.
In one possible implementation, the apparatus further includes:
the remote login information determining module is used for determining each remote login address corresponding to the user account in a first preset time period and the historical remote login time corresponding to each remote login address according to the historical login information;
the historical biological feature matching result determining module is used for determining a historical biological feature matching result corresponding to the different-place login address at each historical different-place login time according to the historical biological verification information, and the historical biological feature matching result comprises matching and non-matching;
the statistics result module is used for counting the number of the matched result of the historical biological feature matching result corresponding to each remote login address in the first preset time period;
the address type determining module is used for determining the address type of the remote login address according to the result number and a preset number threshold, wherein the address type comprises a trusted address and an untrusted address;
The biometric identification number determining module is used for determining the biometric identification number corresponding to the address type according to the corresponding relation between the address type and the biometric identification number.
In one possible implementation, the apparatus further includes:
the remote login information acquisition module is used for acquiring the number of the remote login addresses corresponding to each user account in a second preset time period according to the historical login information;
the abnormal account number determining module is used for determining the user accounts with the number of the different-place login addresses exceeding a preset threshold value as abnormal accounts;
the historical access data determining module is used for determining the latest historical access data when the abnormal account number is logged in by adopting a pre-stored access address according to the historical access data;
the random value determining module is used for determining a random value according to a random number algorithm;
the associated account number determining module is used for acquiring a link address corresponding to the latest historical access data and determining an associated account number from the link address according to a random value;
and the associated account feedback module is used for sending the associated account to the terminal equipment corresponding to the pre-stored access address.
In one possible implementation, the apparatus further includes:
The access requirement acquisition module is used for acquiring access requirement information of the user if the identity verification of the user is successful, wherein the access requirement information comprises an information identifier to be accessed and an operation type to be accessed, and the operation type to be accessed comprises checking and editing;
the requirement level determining module is used for determining an access requirement level according to the access requirement information;
the verification instruction determining module is used for determining an access verification instruction according to the access requirement level and feeding the access verification instruction back to the terminal equipment logging in the user account, wherein the access verification instruction is used for representing a verification identifier to be acquired;
the verification identification matching module is used for matching the access verification identification with a prestored access verification identification corresponding to the access verification instruction after receiving the access verification identification uploaded by the user, so as to obtain an access verification matching value;
and the control access module is used for allowing the user to access the shared database according to the access requirement information when the access verification matching value is higher than a preset access verification matching value.
In one possible implementation manner, the requirement level determining module is specifically configured to, when determining the access requirement level according to the access requirement information:
Determining the number of times of abnormal access of the to-be-accessed demand information corresponding to the to-be-accessed information identifier in a third preset time period according to the historical abnormal data;
determining a target first weight of the to-be-accessed demand information according to the abnormal access times and the corresponding relation between the abnormal access times and the first preset weight;
determining an identification operation type of the to-be-accessed demand information according to the to-be-accessed information identification and the to-be-accessed operation type, and determining a target second weight of the to-be-accessed demand information according to a corresponding relation between the identification operation type and the second preset weight;
determining a target weight of the to-be-accessed demand information according to the target first weight and the target second weight of the to-be-accessed demand information, and determining an access demand level corresponding to the target weight according to the corresponding relation between the target weight and the access demand level.
In a third aspect, the present application provides an electronic device, which adopts the following technical scheme:
an electronic device, the electronic device comprising:
at least one processor;
a memory;
at least one application, wherein the at least one application is stored in memory and configured to be executed by at least one processor, the at least one application configured to: and executing the data sharing method based on the white-box password.
In a fourth aspect, the present application provides a computer readable storage medium, which adopts the following technical scheme:
a computer-readable storage medium, comprising: a computer program capable of being loaded by a processor and executing the above-described white-box password-based data sharing method is stored.
In summary, the present application includes at least one of the following beneficial technical effects:
the method has the advantages that the loss of data leakage caused by stealing of the user account passwords can be reduced by carrying out double identity authentication on users accessing the shared database, whether the access addresses of the users are prestored access addresses or not is judged by using the account numbers and the passwords, the access addresses are limited to prevent unauthorized users or hackers from accessing the shared database through the form of stealing the account passwords, so that the safety of data in the shared database can be ensured, when the access addresses are determined to be prestored access addresses, the visitor is subjected to identity authentication for the second time based on the dynamic keys corresponding to the access moments, the dynamic keys can effectively prevent hacking, and even if the dynamic keys corresponding to different access moments are different, the dynamic keys at future moments cannot be predicted by intercepting the dynamic keys at certain moments, so that the accuracy in the process of identity authentication is further improved by using the dynamic keys, the encrypted authentication information and the access programs are bound, the encrypted authentication information can be directly acquired according to the access programs corresponding to the users without transmitting the encrypted authentication information again, so that the probability of the encrypted authentication information in the process of the access authentication is reduced, the probability of the hackers in the process of being successfully transmitted in the process of the shared data is further facilitated.
When a user account is logged in different places for multiple times and the addresses logged in different places at each time are different, the risk of the user account is represented, at the moment, the shared database can be accessed through the associated account by generating the associated account of the abnormal account, so that the safety in the access process is convenient to improve, the random determination is carried out according to the link address corresponding to the data accessed when the abnormal account is accessed to the shared database last time when the associated account is determined, the associated account randomly generated through the link address has larger difference from the original user account, and therefore, a relevant hacker or attacker hardly thinks of the associated account according to the original user account, so that the safety when the shared database is accessed by the associated account is convenient to improve.
Drawings
Fig. 1 is a schematic flow chart of a data sharing method based on white-box cryptography in an embodiment of the application;
FIG. 2 is an exemplary diagram of an access requirement level determination process in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a data sharing device based on a white-box password in an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device in an embodiment of the present application.
Description of the embodiments
The present application is described in further detail below in conjunction with figures 1-4.
Modifications of the embodiments which do not creatively contribute to the invention may be made by those skilled in the art after reading the present specification, but are protected by patent laws only within the scope of claims of the present application.
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
Specifically, the embodiment of the application provides a data sharing method based on a white-box password, which is executed by electronic equipment, wherein the electronic equipment can be a server or a terminal device, and the server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server for providing cloud computing service. The terminal device may be a smart phone, a tablet computer, a notebook computer, a desktop computer, etc., but is not limited thereto, and the terminal device and the server may be directly or indirectly connected through a wired or wireless communication manner, which is not limited herein.
Referring to fig. 1, fig. 1 is a flowchart of a method for sharing data based on white-box cryptography according to an embodiment of the present application, where the method includes steps S110 to S170, and the method includes:
step S110: when access request information of a user accessing the shared database is detected, first authentication information corresponding to the user is obtained according to the access request information, wherein the first authentication information comprises a user account number and a user password.
Specifically, the shared database is a database which performs common management on a plurality of application programs or network domains through a database management system, the shared database contains data information corresponding to different application programs and different network domains, and data cross-domain sharing can be realized through the shared database. However, since the shared database contains a large amount of data of different applications and different network domains, the security of the shared database is particularly important, and in order to improve the security of the data sharing process, the identity of the visitor needs to be verified, where the login verification can be performed through the user account number and the user password. The access request information is used for representing an access request instruction generated before the user accesses the shared database, after the electronic device receives the access request instruction sent by the user, the electronic device can jump to a user login interface according to the access request instruction, and the user account and the user password are obtained according to the access request instruction, the access request information can be sent to the electronic device by the user through the user terminal, and can be generated after the user triggers the corresponding position of the electronic device, and the formation mode of the access request information is not particularly limited in the embodiment of the application, so long as the user account and the user password can be obtained according to the access request information.
Step S120: and matching the first authentication information with pre-stored first authentication information to obtain a first matching result.
Specifically, the pre-stored identity first identity verification information is account information registered when a user accesses the shared database for the first time, when the first identity verification information is matched with the pre-stored first identity verification information, a user password in the first identity verification information is matched with a password in registration through matching the user account in the first identity verification information with the account in registration, a first matching result is obtained, the first matching result comprises matching success and matching failure, and when the user account is the same as the account in registration and the user password is the same as the password in registration, the first matching result is determined to be matching success.
Step S130: and determining the access address and the access time of the user according to the access request information, and acquiring a dynamic key corresponding to the access time of the user when the access address is a prestored access address.
Specifically, the access request information further includes user access record information, where the user access record information includes an access IP address and an access time when the user accesses the shared database, and the access IP address is an IP address corresponding to a front-end device when the user accesses the shared database at the access time. The pre-stored access address is the access address when the user accesses the shared data for the first time, the specific pre-stored access address is not specifically limited in the embodiment of the application, the actual access address when the user accesses the shared data for the first time is used for determining, in the embodiment of the application, the device key is set in the terminal device corresponding to the default pre-stored access address, the security level is higher, if a hacker or other malicious attacker wants to log in by adopting the device corresponding to the pre-stored access address, the device key set in the device is also required to be cracked, therefore, before the second identity verification is carried out, whether the access address is the pre-stored access address is required to be judged, so that the security when the visitor accesses the shared data is further improved, when the access address is the pre-stored access address, the dynamic key is obtained again, and if the access address in the access request information is not the pre-stored access address, the dynamic key is not obtained.
Because the Web server records the IP address information of the visitor and stores the IP address information in the access log, when the access address of the user is determined according to the access request information, the user identifier may be a user account number, and in this embodiment, the user identifier may be not specifically limited, so long as the user can be represented, and whether the access address of the user is a pre-stored access address may be determined by matching the access IP address determined in the Web server log with the pre-stored access address.
The dynamic key is generated after encrypting the user identity information and is used for recording the encryption process, the encrypted identity information can be restored through the dynamic key, the dynamic keys corresponding to different access moments are different, and only the dynamic key corresponding to the current access moment can restore the encryption information corresponding to the current access moment.
Step S140: and determining an access program of the user when accessing the shared database according to the access request information, and determining a preset program identification from the access program.
Specifically, when the access program is the running program corresponding to the user terminal device when the access program sends the access request information to the user, the user source codes corresponding to different users are different, the preset program identifier may be a part of the programs in the user source codes or may be variable names in the user source codes, and the specific preset program identifier is not specifically limited in the embodiment of the application and may be set by related technicians, so long as the corresponding user can be determined through the preset program representation. The running program corresponding to the user terminal device can be uploaded to the electronic device by the user terminal device. When the preset program identifier is determined from the access program, the preset program identifier can be used as a target identifier feature, and traversing is performed from the access program according to the target identifier feature so as to determine the preset program identifier contained in the user source code.
Step S150: and determining target encryption verification information corresponding to the preset program identifier according to the access time and the corresponding relation between the program identifier and the encryption verification information, and restoring the target encryption verification information according to the dynamic key to obtain second identity verification information.
Specifically, the corresponding relationship between the program identifier and the encrypted verification information includes a plurality of sets of corresponding relationships between the encrypted user identity information and the corresponding user program identifier, and the specific corresponding relationship between the program identifier and the encrypted verification information is not specifically limited in the embodiment of the present application, and may be added, deleted or modified by a related technician. The encrypted verification information is encrypted user identity information, and the encrypted verification information corresponding to any program identifier can be determined by establishing the corresponding relation between the program identifier and the encrypted verification information and the corresponding relation between the program identifier and the encrypted verification information. When the target encryption verification information is restored according to the dynamic key, the target encryption verification information is restored mainly by performing reverse order operation on the encryption process.
Step S160: and matching the second identity verification information with pre-stored second identity information to obtain a second matching result.
Specifically, the second matching result comprises a matching result and unsuccessful matching, if the restored second identity authentication information is consistent with the pre-stored second identity information, the second matching result is determined to be successful matching, and if the restored second identity authentication information is inconsistent with the pre-stored second identity authentication information, the second matching result is determined to be unsuccessful matching.
Step S170: and carrying out identity verification on the user according to the first matching result and the second matching result, and if the identity verification is successful, allowing the user to access the shared database.
Specifically, when the first matching result and the second matching result are both successful, the user is allowed to access the shared database.
For the embodiment of the application, the loss of data leakage caused by stealing of the user account passwords can be reduced by carrying out double identity authentication on the user accessing the shared database, whether the access address of the user is a pre-stored access address or not is judged by using the account numbers and the passwords, the access address is limited to prevent unauthorized users or hackers from accessing the shared database in the form of stealing the account passwords, so that the safety of data in the shared database can be ensured.
Further, since the dynamic keys obtained at different access moments are different, hacking can be effectively prevented when the user is authenticated twice by using the dynamic keys, wherein the forming process of the dynamic keys includes:
when the user is a new user, integrating the access address of the user and account information to obtain integrated information, and converting the format of the integrated information to obtain character information, wherein the account information comprises a user account and a user password; performing expression conversion on the character information according to a preset conversion frequency to obtain corresponding encryption verification information, and recording a conversion rule corresponding to each expression conversion process; and forming a dynamic key according to the preset conversion frequency and a conversion rule corresponding to each conversion.
Specifically, the dynamic key is formed according to the user account information and the access address adopted when the user accesses the shared database for the first time, so that the dynamic key is generated when the user is a new user, that is, the dynamic key is generated when the user accesses the shared database for the first time. The access address, the user account and the user password of the user are integrated, namely, the access address, the user account and the user password of the user are arranged according to the random arrangement position generated by a random algorithm, for example, the access address of the user is 192.168.0.1, the user account is 12345, the user password is abcd, and the random arrangement position generated according to the random algorithm is the user account, the access address and the user password, so that after being arranged according to the random arrangement position generated randomly, the formed integrated information is 12345/19216801/abcd, the random arrangement position is determined through the random algorithm instead of being integrated in a fixed integration mode, and the privacy of the integrated information is facilitated to be improved.
When the integrated information is converted into the format of ASCII code, for example, the integrated information is "12345/19216801/abcd" and the character information obtained after the integrated information is converted into the format of ASCII code is "49 50 51 52 53 47 49 57 50 46 49 54 56 46 48 49 47 97 98 99 100", where ASCII code is a character coding standard, a coding mode of 128 characters (including letters, numbers and symbols) is defined, and the mode of converting the integrated information into the format of the integrated information is not specifically limited in the embodiment of the present application, so long as the converted character information corresponds to the integrated information.
The character information after format conversion is subjected to expression conversion, namely the character information is displayed in another mode, but encryption verification information obtained after the expression conversion has the same meaning as the character information, wherein when the character information is subjected to expression conversion, the character information can be converted into a regular expression, the obtained encryption verification information is the regular expression corresponding to the character information, the regular expression is a character string processing grammar based on character matching and used for describing a character string of a specific mode, the character string can be replaced by the mode, the regular expression contains a plurality of special characters and the meaning and the usage of each characteristic character for representation, for example, any character contained in a 'xyz' matching set can be used, namely 'abc' can be matched with 'a' in 'plane'; for example "\B" can be matched with a non-word boundary, such as "a\B" can be matched with "a" in "car", because the same character can be represented by adopting different regular expressions, the character information can be converted into different encryption verification information by adopting preset conversion frequencies, and a plurality of conversion rules can be correspondingly generated, wherein each conversion rule has corresponding encryption verification information, the preset conversion frequencies and the corresponding conversion rules form a dynamic key together, the target dynamic key corresponding to the current access moment can be conveniently determined through the preset conversion frequencies, the preset conversion frequencies can be switched once for 30 minutes or can be switched once for 1 hour, and the embodiment of the application is not particularly limited, for example, 6 conversion rules are contained, the preset conversion frequencies are switched once for 1 hour, and therefore, the conversion rules adopted at 0-1 point are conversion rules 1; the conversion rule adopted by the 2-3 points is 2, and so on, and the target conversion rule corresponding to the current access time, namely the target dynamic key corresponding to the current access time, can be determined from the dynamic key according to the current access time.
Further, when the user performs the second authentication, the user needs to be ensured to access by using a pre-stored access address, but there is a case that the user logs in from different places, for example, a front-end device corresponding to the pre-stored access address is a company terminal, and when the user logs in from a home terminal, the user cannot access the shared database in the home because the access IP address corresponding to the home terminal is different from the pre-stored access address, and in order to solve the case, the method further comprises:
when the access address is not a pre-stored access address, generating biological characteristic acquisition prompt information, and feeding the biological characteristic acquisition prompt information back to terminal equipment corresponding to the user, wherein the biological characteristic acquisition prompt information comprises at least one biological characteristic to be acquired; acquiring biological characteristics uploaded by a user, and matching the biological characteristics with pre-stored biological characteristics corresponding to the user to obtain a biological characteristic matching result; and carrying out identity verification on the user according to the first matching result and the biological characteristic matching result, and if the identity verification is successful, allowing the user to access the shared database.
Specifically, when detecting that the user may have a login in a different place, in order to protect shared data in the shared database during the process of accessing the user in a different place, a biological feature recognition mode may be adopted to perform secondary identity authentication on the user using the login in a different place. After the electronic device generates the biometric acquisition prompt information, the generated biometric acquisition prompt information is fed back to the device terminal where the user logs in the different places currently so as to collect the biometric characteristics of the user, and the biometric prompt information contains biometric characteristics to be collected and can include facial characteristics, voice characteristics, fingerprint characteristics and the like.
The pre-stored biological characteristics are biological characteristic information recorded when the user accesses the shared database for the first time, including facial characteristics, sound characteristics, fingerprint characteristics and the like, one type of biological characteristics can be collected when the user is subjected to biological characteristic collection, a plurality of types of biological characteristics can also be collected, the number of collected biological characteristics is not particularly limited in the embodiment of the application, when the collected biological characteristics are matched with the pre-stored biological characteristics, the target pre-stored biological characteristics can be determined from the pre-stored biological characteristics through the collected biological characteristic identification, and when the collected biological characteristics are consistent with the target pre-stored biological characteristics, the biological characteristic matching result of the user is determined to be successful. And when the first matching result and the biological characteristic matching result are matched successfully, the identity verification of the user is characterized to be successful, namely, the user is allowed to access the shared database in a form of logging in different places.
Furthermore, in order to improve accuracy and efficiency in the verification of the biological feature, before generating the prompt information for acquiring the biological feature, the method further comprises:
according to the historical login information, determining each remote login address corresponding to the user account in a first preset time period and historical remote login time corresponding to each remote login address; according to the historical biological verification information, determining a historical biological feature matching result corresponding to the different-place login address at each historical different-place login time, wherein the historical biological feature matching result comprises matching and non-matching; counting the number of the matched result of the historical biological feature corresponding to each remote login address in a first preset time period; determining the address type of the remote login address according to the result number and a preset number threshold, wherein the address type comprises a trusted address and an untrusted address; and determining the biological feature recognition quantity corresponding to the address type according to the corresponding relation between the address type and the biological feature recognition quantity.
Specifically, if the user frequently accesses the shared database by using the same off-site login address, and the matching success probability of the corresponding biometric feature matching result is high in the multiple off-site login process, so that when the user is detected again to access the shared database by using the same off-site login address, the number of acquired biometric features can be reduced, for example, when the user accesses the shared database by using a certain off-site login address for the first time, the number of biometric features to be acquired in the generated biometric feature acquisition prompt information is 3, and if the user accesses the shared database by using the off-site login address for multiple times after the first off-site login, and each time the biometric feature matching result is successfully matched, the next time when the user accesses the shared database by using the same off-site login address is detected, the number of biometric features to be acquired in the generated biometric feature acquisition prompt information can be reduced to 1 or 2.
The first preset time period may be within 5 days or within one week after the first off-site login, and the specific preset time period is not specifically limited in the embodiment of the present application, so long as the login habit of the user during the off-site login can be determined. The preset number threshold may be 4 or 5, that is, when the user accesses the shared database by using the same allopatric login address in a preset time period, the biometric feature matching is successfully performed for 4 times or 5 times, and the specific preset threshold is not specifically limited in the embodiment of the present application and may be set by related technicians. The corresponding relation between the address type and the biometric identification number comprises the biometric identification number corresponding to the trusted address and the biometric identification number corresponding to the untrusted address, wherein the biometric identification number corresponding to the trusted address can be 1 or 2 when the address type is the trusted address, the biometric identification number corresponding to the untrusted address can be 4 or 5, the biometric identification number corresponding to different address types is not particularly limited in the embodiment of the application, and the biometric identification number can be set by a related technician as long as the biometric number corresponding to the trusted address is lower than the untrusted biometric number.
Further, when the type of the remote login address is determined to be an untrusted address, if the remote login address is detected to access the shared database next time, warning information is generated to remind relevant technicians of timely finding possible malicious attacks so as to protect the shared database.
Further, if the user account information is stolen by a hacker or other attacker, the hacker or other attacker may log in the user account information in a plurality of different devices, so the risk probability of the user account is high, and in order to reduce the risk of the user account, the method further includes:
acquiring the number of the different-place login addresses corresponding to each user account in a second preset time period according to the historical login information; determining the user account number with the number of the different-place login addresses exceeding a preset threshold value as an abnormal account number; according to the historical access data, determining the latest historical access data when the abnormal account number is logged in by adopting a pre-stored access address; determining a random value according to a random number algorithm; acquiring a link address corresponding to the latest historical access data, and determining an associated account number from the link address according to a random value; and sending the associated account number to terminal equipment corresponding to the prestored access address.
Specifically, the historical login information includes login information of each user account, wherein the login information includes login addresses adopted in a previous login process of each user account, if a user account logs in on a plurality of different-place devices in a second preset time period, that is, different-place login addresses of a user account are logged in the second preset time period, at this time, the number of different-place devices for logging in the user account in the second preset time period, that is, the number of different-place login addresses adopted when logging in the user account in the preset time period is counted, and when the number of different-place login addresses exceeds a preset threshold, the user account is characterized in that risks possibly exist, so that the user account is determined to be an abnormal account, the abnormal account cannot access the shared database again, at this time, in order to reduce influence on the user account, an associated account of the user account can be generated, and the user can conveniently access the shared database by using the newly generated associated account. The second preset time period may be one week or two weeks before the current login time, and the specific second preset time period is not specifically limited in the embodiment of the present application.
When the associated account is generated, a random character string meeting the account requirement can be randomly generated through a random algorithm, the random character string is determined to be the associated account, and the associated account can be generated according to the historical access data of the user account, wherein when the associated account is generated by adopting the historical access data, a random array meeting the account requirement can be generated through a random number algorithm, each random number in the random array is determined to be a link character position, character grabbing is carried out from a link address corresponding to the latest historical access data according to the link character position, the grabbed characters are determined to be the associated account, for example, the random numbers contained in the random array determined by adopting the random number algorithm are 1534897 respectively, the link address corresponding to the latest historical access data is abo:/(1234.2333/ABCDEFG, and the corresponding relation between the random numbers and the corresponding characters in the link address is shown in table 1:
TABLE 1
At this time, the generated associated account number is "a/o:231". The method for generating the associated account is not specifically limited in the embodiment of the present application, as long as the associated account is different from the original user account, and in order to improve the security of the associated account, the generated associated account may be fed back to the terminal device corresponding to the pre-stored access address.
Further, to further protect the shared data within the shared database, the method further includes:
if the identity verification of the user is successful, the access requirement information of the user is obtained, wherein the access requirement information comprises an information identifier to be accessed and an operation type to be accessed, and the operation type to be accessed comprises checking and editing; determining an access demand level according to the access demand information; determining an access verification instruction according to the access demand level, and feeding back the access verification instruction to the terminal equipment logging in the user account; after receiving the access verification identification uploaded by the user, matching the access verification identification with a pre-stored access verification identification corresponding to the access verification instruction to obtain an access verification matching value; and when the access verification matching value is higher than the preset access verification matching value, allowing the user to access the shared database according to the access requirement information.
Specifically, since the shared database stores data of different network domains, the shared data volume is large, so there may be some data with a high security level, and the security level of the data corresponds to the access requirement level, so the method further includes step Sa, step Sb, step Sc, step Sd, and step Se, as shown in fig. 2, where:
step Sa: if the user authentication is successful, the access requirement information of the user is acquired, wherein the access requirement information comprises an information identifier to be accessed and an operation type to be accessed, and the operation type to be accessed comprises checking and editing.
Specifically, the access requirement information of the user can be sent to the electronic device by the corresponding login device when the user authentication is successful, the access requirement information of the user is different from the access request information of the user, the access request information does not contain the identification of the information to be accessed, namely, the access purpose of the user cannot be known through the access request information, the access requirement information contains the access purpose of the user, and the access purpose, namely, the access requirement information comprises target information which needs to be accessed after the user accesses the shared database and the operation type of the target information.
Step Sb: and determining the access demand level according to the access demand information.
Specifically, each shared data in the shared database corresponds to one information identifier, the data grades corresponding to different information identifiers are different, the shared data in the shared database can be graded through the information identifiers, the information identifiers corresponding to each shared data in the shared database can be determined to be manually calibrated by related technicians, and the determination can be performed based on the abnormal times of each shared data history, wherein the determination of the access demand grade according to the access demand information comprises the following steps:
determining the number of times of abnormal access of the to-be-accessed demand information corresponding to the to-be-accessed information identifier in a third preset time period according to the historical abnormal data; determining a target first weight of the to-be-accessed demand information according to the abnormal access times and the corresponding relation between the abnormal access times and the first preset weight; determining an identification operation type of the to-be-accessed demand information according to the to-be-accessed information identification and the to-be-accessed operation type, and determining a target second weight of the to-be-accessed demand information according to the corresponding relation between the identification operation type and the second preset weight; according to the target first weight and the target second weight of the to-be-accessed demand information, determining the target weight of the to-be-accessed demand information, and according to the corresponding relation between the target weight and the access demand level, determining the access demand level corresponding to the target weight.
Specifically, the historical abnormal data includes abnormal time corresponding to each shared data with abnormal access experience, wherein the abnormal access includes access data loss, frequent access in a short time by multiple users, and the like, the type of the abnormal access is not specifically limited in the embodiment of the present application, as long as the abnormal access experience exists, the specific abnormal access type can be limited by related technicians. The abnormal access times and the corresponding relation between the abnormal access times and the first preset weights comprise the first preset weights corresponding to the different abnormal access times respectively, wherein when the abnormal access times are 0-3 times, the corresponding first preset weights are 20%; when the abnormal access times are 4-6 times, the corresponding first preset weight is 30%; when the number of abnormal accesses is more than 6, the corresponding first preset weight is 50%, and the specific correspondence between the number of abnormal accesses and the first preset weight is not particularly limited in the embodiment of the present application, and may be set by a related technician. The third preset time period may be 2 days or 3 days, and the specific third preset time period is not specifically limited in the embodiment of the present application.
Since the operation types include viewing and editing, the second preset weights corresponding to the different operation types are also different, for example, when the operation type is viewing, the corresponding second preset weight is 40%; when the operation type is editing, the corresponding second preset weight is 60%. After the identification and the type of the to-be-accessed information of the user are determined through the access requirement information, the target weight corresponding to the to-be-accessed requirement information can be calculated, for example, the number of times that the shared data corresponding to the information identification contained in certain access requirement information has access abnormality in a third preset time period is 3, the identification operation type is editing, therefore, the first target weight corresponding to the access requirement information is determined to be 20% according to the corresponding relation between the abnormal access number and the first preset weight, the second target weight corresponding to the access requirement information is determined to be 60% according to the corresponding relation between the identification operation type and the second preset weight, and the target weight corresponding to the to-be-accessed requirement information is determined to be 80% at the moment.
The corresponding relation between the target weight and the access demand level can be set by related technicians, wherein when the corresponding relation between the target weight and the access demand level can be 0-80%, the corresponding access demand level is first-level access; when the corresponding relation between the target weight and the access demand level can be 81-160%, the corresponding access demand level is the secondary access; when the corresponding relation between the target weight and the access demand level can be 161-200%, the corresponding access demand level is three-level access.
Step Sc: and determining an access verification instruction according to the access requirement level, and feeding the access verification instruction back to the terminal equipment of the login user account, wherein the access verification instruction is used for representing the verification identifier to be obtained.
Step Sd: and after receiving the access verification identification uploaded by the user, matching the access verification identification with a pre-stored access verification identification corresponding to the access verification instruction to obtain an access verification matching value.
Specifically, the access verification instructions corresponding to different access demand levels are different, that is, the to-be-obtained verification identifiers corresponding to different access demand levels may be different, and the number of to-be-obtained verification identifiers corresponding to different access demand levels may also be different, for example, when the access demand level is a first-level access, the to-be-obtained verification identifiers included in the corresponding access verification instructions may be a and B; when the access requirement level is the second level access, the authentication identifier to be obtained included in the corresponding access authentication instruction may be A, B and C, and the pre-stored access authentication identifier corresponding to the specific access authentication instruction is not specifically limited in the embodiment of the present application, and may be set by related technicians.
Step Se: and when the access verification matching value is higher than the preset access verification matching value, allowing the user to access the shared database according to the access requirement information.
Specifically, the preset access verification matching value may be 98% or 99%, and the specific preset access verification matching value is not specifically limited in the embodiment of the present application and may be set by a related technician.
For the embodiment of the application, when the data with higher security level is required to be accessed, the data is conveniently protected by performing access verification on the visitor, the access verification instructions corresponding to the data with different security levels are different, namely, the access verification requirements corresponding to the data with different security levels are different, and the verification requirements corresponding to each data are determined according to the access requirement level corresponding to each data, so that the accuracy in determining the access verification matching result is conveniently improved.
The foregoing embodiments describe a data sharing method based on a white-box password from the perspective of a method flow, and the following embodiments describe a data sharing device based on a white-box password from the perspective of a virtual module or a virtual unit, which are described in detail in the following embodiments.
The embodiment of the application provides a data sharing device based on white-box cryptography, as shown in fig. 3, the device may specifically include a first authentication information module 310, a first matching result module 320, a dynamic key module 330, a program identification module 340, a second authentication information module 350, a second matching result module 360 and an authentication module 370, where:
The first identity verification information module 310 is configured to obtain, when access request information of a user accessing a shared database is detected, first identity verification information corresponding to the user according to the access request information, where the first identity verification information includes a user account number and a user password;
a first matching result determining module 320, configured to match the first authentication information with pre-stored first authentication information, so as to obtain a first matching result;
the dynamic key obtaining module 330 is configured to determine an access address and an access time of the user according to the access request information, and obtain a dynamic key corresponding to the access time of the user when the access address is a pre-stored access address;
a determining program identification module 340, configured to determine an access program of the user when accessing the shared database according to the access request information, and determine a preset program identification from the access program;
a second identity verification information determining module 350, configured to determine target encryption verification information corresponding to a preset program identifier according to the access time and the corresponding relationship between the program identifier and the encryption verification information, and restore the target encryption verification information according to the dynamic key to obtain second identity verification information;
A second matching result determining module 360, configured to match the second identity verification information with pre-stored second identity information, to obtain a second matching result;
the authentication module 370 is configured to perform authentication on the user according to the first matching result and the second matching result, and if the authentication is successful, allow the user to access the shared database.
In one possible implementation, the apparatus further includes:
the system comprises an integration information module, a user password module and a user password module, wherein the integration information module is used for integrating an access address of a user and account information to obtain integration information when the user is a new user, and converting the format of the integration information to obtain character information, wherein the account information comprises a user account and a user password;
the expression conversion module is used for carrying out expression conversion on the character information according to a preset conversion frequency to obtain corresponding encryption verification information, and recording a conversion rule corresponding to each expression conversion process;
and the dynamic key determining module is used for forming a dynamic key according to the preset conversion frequency and the conversion rule corresponding to each conversion.
In one possible implementation, the apparatus further includes:
the system comprises a biological feature extraction module, a user identification module and a storage module, wherein the biological feature extraction module is used for generating biological feature acquisition prompt information when an access address is not a pre-stored access address, and feeding the biological feature acquisition prompt information back to terminal equipment corresponding to the user, wherein the biological feature acquisition prompt information comprises at least one biological feature to be acquired;
The biological feature matching module is used for acquiring biological features uploaded by the user, matching the biological features with prestored biological features corresponding to the user, and obtaining a biological feature matching result;
and the biological verification module is used for carrying out identity verification on the user according to the first matching result and the biological feature matching result, and if the identity verification is successful, the user is allowed to access the shared database.
In one possible implementation, the apparatus further includes:
the remote login information determining module is used for determining each remote login address corresponding to the user account in the first preset time period and the historical remote login time corresponding to each remote login address according to the historical login information;
the historical biological feature matching result determining module is used for determining a historical biological feature matching result corresponding to the different-place login address at each historical different-place login time according to the historical biological verification information, wherein the historical biological feature matching result comprises matching and non-matching;
the statistics result module is used for counting the number of the matched result of the historical biological characteristics corresponding to each remote login address in a first preset time period;
the address type determining module is used for determining the address type of the remote login address according to the result number and a preset number threshold value, wherein the address type comprises a trusted address and an untrusted address;
The biometric identification number determining module is used for determining the biometric identification number corresponding to the address type according to the corresponding relation between the address type and the biometric identification number.
In one possible implementation, the apparatus further includes:
the remote login information acquisition module is used for acquiring the number of the remote login addresses corresponding to each user account in a second preset time period according to the historical login information;
the abnormal account number determining module is used for determining the user accounts with the number of the different-place login addresses exceeding a preset threshold value as abnormal accounts;
the historical access data determining module is used for determining the latest historical access data when the abnormal account number is logged in by adopting a pre-stored access address according to the historical access data;
the random value determining module is used for determining a random value according to a random number algorithm;
the associated account number determining module is used for acquiring a link address corresponding to the latest historical access data and determining an associated account number from the link address according to the random value;
and the associated account feedback module is used for sending the associated account to the terminal equipment corresponding to the prestored access address.
In one possible implementation, the apparatus further includes:
the access requirement acquisition module is used for acquiring access requirement information of the user if the identity verification of the user is successful, wherein the access requirement information comprises an information identifier to be accessed and an operation type to be accessed, and the operation type to be accessed comprises checking and editing;
The demand level determining module is used for determining the access demand level according to the access demand information;
the verification instruction determining module is used for determining an access verification instruction according to the access requirement level, feeding the access verification instruction back to the terminal equipment of the login user account, and the access verification instruction is used for representing a verification mark to be obtained;
the verification identification matching module is used for matching the access verification identification with a prestored access verification identification corresponding to the access verification instruction after receiving the access verification identification uploaded by the user to obtain an access verification matching value;
and the control access module is used for allowing the user to access the shared database according to the access requirement information when the access verification matching value is higher than the preset access verification matching value.
In one possible implementation manner, the requirement level determining module is specifically configured to, when determining the access requirement level according to the access requirement information:
determining the number of times of abnormal access of the to-be-accessed demand information corresponding to the to-be-accessed information identifier in a third preset time period according to the historical abnormal data;
determining a target first weight of the to-be-accessed demand information according to the abnormal access times and the corresponding relation between the abnormal access times and the first preset weight;
Determining an identification operation type of the to-be-accessed demand information according to the to-be-accessed information identification and the to-be-accessed operation type, and determining a target second weight of the to-be-accessed demand information according to the corresponding relation between the identification operation type and the second preset weight;
according to the target first weight and the target second weight of the to-be-accessed demand information, determining the target weight of the to-be-accessed demand information, and according to the corresponding relation between the target weight and the access demand level, determining the access demand level corresponding to the target weight.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In an embodiment of the present application, as shown in fig. 4, an electronic device 400 shown in fig. 4 includes: a processor 401 and a memory 403. Processor 401 is connected to memory 403, such as via bus 402. Optionally, the electronic device 400 may also include a transceiver 404. It should be noted that, in practical applications, the transceiver 404 is not limited to one, and the structure of the electronic device 400 is not limited to the embodiment of the present application.
The processor 401 may be a CPU (Central Processing Unit ), general purpose processor, DSP (Digital Signal Processor, data signal processor), ASIC (Application Specific Integrated Circuit ), FPGA (Field Programmable Gate Array, field programmable gate array) or other programmable logic device, transistor logic device, hardware components, or any combination thereof. Which may implement or perform the various exemplary logic blocks, modules, and circuits described in connection with this disclosure. Processor 401 may also be a combination that implements computing functionality, such as a combination comprising one or more microprocessors, a combination of a DSP and a microprocessor, or the like.
Bus 402 may include a path to transfer information between the components. Bus 402 may be a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus or EISA (Extended Industry Standard Architecture ) bus, among others. Bus 402 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 4, but not only one bus or one type of bus.
The Memory 403 may be, but is not limited to, a ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, a RAM (Random Access Memory ) or other type of dynamic storage device that can store information and instructions, an EEPROM (Electrically Erasable Programmable Read Only Memory ), a CD-ROM (Compact Disc Read Only Memory, compact disc Read Only Memory) or other optical disk storage, optical disk storage (including compact discs, laser discs, optical discs, digital versatile discs, blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
The memory 403 is used for storing application program codes for executing the present application and is controlled to be executed by the processor 401. The processor 401 is arranged to execute application code stored in the memory 403 for implementing what is shown in the foregoing method embodiments.
Among them, electronic devices include, but are not limited to: mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. But may also be a server or the like. The electronic device shown in fig. 4 is only an example and should not be construed as limiting the functionality and scope of use of the embodiments herein.
The present application provides a computer readable storage medium having a computer program stored thereon, which when run on a computer, causes the computer to perform the corresponding method embodiments described above.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the flowcharts of the figures may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily being sequential, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.
The foregoing is only a partial embodiment of the present application, and it should be noted that, for a person skilled in the art, several improvements and modifications can be made without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims (10)

1. A white-box password-based data sharing method, comprising:
when access request information of a user accessing a shared database is detected, acquiring first authentication information corresponding to the user according to the access request information, wherein the first authentication information comprises a user account number and a user password;
matching the first authentication information with pre-stored first authentication information to obtain a first matching result;
determining an access address and access time of the user according to the access request information, and acquiring a dynamic key corresponding to the user at the access time when the access address is a prestored access address;
determining an access program of the user when accessing the shared database according to the access request information, and determining a preset program identifier from the access program;
determining target encryption verification information corresponding to the preset program identifier according to the access time and the corresponding relation between the program identifier and the encryption verification information, and restoring the target encryption verification information according to the dynamic key to obtain second identity verification information;
matching the second identity verification information with pre-stored second identity information to obtain a second matching result;
And carrying out identity verification on the user according to the first matching result and the second matching result, and allowing the user to access a shared database if the identity verification is successful.
2. The method for sharing data based on white-box cryptography according to claim 1, wherein the process of forming the dynamic key comprises:
when the user is a new user, integrating the access address and account information of the user to obtain integrated information, and converting the format of the integrated information to obtain character information, wherein the account information comprises a user account and a user password;
performing expression conversion on the character information according to a preset conversion frequency to obtain corresponding encryption verification information, and recording a conversion rule corresponding to each expression conversion process;
and forming a dynamic key according to the preset conversion frequency and a conversion rule corresponding to each conversion.
3. The white-box password-based data sharing method according to claim 1, wherein after determining the access address and the access time of the user, further comprising:
when the access address is not a pre-stored access address, generating a biological feature acquisition prompt message, and feeding back the biological feature acquisition prompt message to a terminal device corresponding to the user, wherein the biological feature acquisition prompt message comprises at least one biological feature to be acquired;
Acquiring the biological characteristics uploaded by the user, and matching the biological characteristics with pre-stored biological characteristics corresponding to the user to obtain a biological characteristic matching result;
and carrying out identity verification on the user according to the first matching result and the biological characteristic matching result, and allowing the user to access a shared database if the identity verification is successful.
4. The method for sharing data based on white-box cryptography according to claim 3, wherein before generating the biometric acquisition prompt, the method further comprises:
according to the historical login information, determining each remote login address corresponding to the user account in a first preset time period and historical remote login time corresponding to each remote login address;
according to the historical biological verification information, determining a historical biological feature matching result corresponding to the different-place login address at each historical different-place login time, wherein the historical biological feature matching result comprises matching and non-matching;
counting the number of the matched result of the historical biological feature corresponding to each remote login address in the first preset time period;
determining the address type of the remote login address according to the result number and a preset number threshold, wherein the address type comprises a trusted address and an untrusted address;
And determining the biological feature identification quantity corresponding to the address type according to the corresponding relation between the address type and the biological feature identification quantity.
5. A white-box password-based data sharing method according to claim 3, further comprising:
acquiring the number of the different-place login addresses corresponding to each user account in a second preset time period according to the historical login information;
determining the user account number with the number of the different-place login addresses exceeding a preset threshold value as an abnormal account number;
according to the historical access data, determining the latest historical access data when the abnormal account logs in by adopting a pre-stored access address;
determining a random value according to a random number algorithm;
acquiring a link address corresponding to the latest historical access data, and determining an associated account number from the link address according to a random value;
and sending the associated account number to the terminal equipment corresponding to the pre-stored access address.
6. The white-box password-based data sharing method according to claim 1, wherein after the authentication of the user according to the first matching result and the second matching result, further comprising:
if the identity verification of the user is successful, the access requirement information of the user is obtained, wherein the access requirement information comprises an information identifier to be accessed and an operation type to be accessed, and the operation type to be accessed comprises checking and editing;
Determining an access demand level according to the access demand information;
determining an access verification instruction according to the access demand level, and feeding the access verification instruction back to the terminal equipment logging in the user account, wherein the access verification instruction is used for representing a verification identifier to be obtained;
after receiving the access verification identification uploaded by the user, matching the access verification identification with a pre-stored access verification identification corresponding to the access verification instruction to obtain an access verification matching value;
and when the access verification matching value is higher than a preset access verification matching value, allowing the user to access the shared database according to the access requirement information.
7. The white-box password-based data sharing method of claim 6, wherein the determining the access requirement level according to the access requirement information comprises:
determining the number of times of abnormal access of the to-be-accessed demand information corresponding to the to-be-accessed information identifier in a third preset time period according to the historical abnormal data;
determining a target first weight of the to-be-accessed demand information according to the abnormal access times and the corresponding relation between the abnormal access times and the first preset weight;
Determining an identification operation type of the to-be-accessed demand information according to the to-be-accessed information identification and the to-be-accessed operation type, and determining a target second weight of the to-be-accessed demand information according to a corresponding relation between the identification operation type and the second preset weight;
determining a target weight of the to-be-accessed demand information according to the target first weight and the target second weight of the to-be-accessed demand information, and determining an access demand level corresponding to the target weight according to the corresponding relation between the target weight and the access demand level.
8. A white-box password-based data sharing apparatus, comprising:
the system comprises a first identity verification information acquisition module, a second identity verification information acquisition module and a user password acquisition module, wherein the first identity verification information acquisition module is used for acquiring first identity verification information corresponding to a user according to access request information when the access request information of the user when the user accesses a shared database is detected, and the first identity verification information comprises a user account number and the user password;
a first matching result determining module, configured to match the first authentication information with pre-stored first authentication information, to obtain a first matching result;
the dynamic key acquisition module is used for determining the access address and the access time of the user according to the access request information, and acquiring a dynamic key corresponding to the access time of the user when the access address is a prestored access address;
The program identification determining module is used for determining an access program of the user when accessing the shared database according to the access request information and determining a preset program identification from the access program;
a second identity verification information determining module, configured to determine target encryption verification information corresponding to the preset program identifier according to the current access time and a corresponding relationship between the program identifier and the encryption verification information, and restore the target encryption verification information according to the dynamic key to obtain second identity verification information;
a second matching result determining module, configured to match the second authentication information with pre-stored second identity information, to obtain a second matching result;
and the identity verification module is used for carrying out identity verification on the user according to the first matching result and the second matching result, and if the identity verification is successful, the user is allowed to access the shared database.
9. An electronic device, comprising:
at least one processor;
a memory;
at least one application, wherein the at least one application is stored in memory and configured to be executed by at least one processor, the at least one application configured to: a white-box password based data sharing method as claimed in any one of claims 1 to 7.
10. A computer-readable storage medium, comprising: a computer program stored with a memory capable of being loaded by a processor and executing a white-box cryptographic based data sharing method according to any of claims 1-7.
CN202311368306.8A 2023-10-23 2023-10-23 Data sharing method and device based on white-box password, electronic equipment and medium Active CN117118750B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311368306.8A CN117118750B (en) 2023-10-23 2023-10-23 Data sharing method and device based on white-box password, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311368306.8A CN117118750B (en) 2023-10-23 2023-10-23 Data sharing method and device based on white-box password, electronic equipment and medium

Publications (2)

Publication Number Publication Date
CN117118750A CN117118750A (en) 2023-11-24
CN117118750B true CN117118750B (en) 2024-03-29

Family

ID=88796945

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311368306.8A Active CN117118750B (en) 2023-10-23 2023-10-23 Data sharing method and device based on white-box password, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN117118750B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108287894A (en) * 2018-01-19 2018-07-17 腾讯科技(深圳)有限公司 Data processing method, device, computing device and storage medium
CN111988330A (en) * 2020-08-28 2020-11-24 苏州中科安源信息技术有限公司 Information security protection system and method based on white-box encryption in distributed system
WO2022206349A1 (en) * 2021-04-02 2022-10-06 腾讯科技(深圳)有限公司 Information verification method, related apparatus, device, and storage medium
CN115333749A (en) * 2022-07-26 2022-11-11 国网湖北省电力有限公司信息通信公司 Monitoring protection method and device based on terminal system access control and intrusion

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108287894A (en) * 2018-01-19 2018-07-17 腾讯科技(深圳)有限公司 Data processing method, device, computing device and storage medium
CN111988330A (en) * 2020-08-28 2020-11-24 苏州中科安源信息技术有限公司 Information security protection system and method based on white-box encryption in distributed system
WO2022206349A1 (en) * 2021-04-02 2022-10-06 腾讯科技(深圳)有限公司 Information verification method, related apparatus, device, and storage medium
CN115333749A (en) * 2022-07-26 2022-11-11 国网湖北省电力有限公司信息通信公司 Monitoring protection method and device based on terminal system access control and intrusion

Also Published As

Publication number Publication date
CN117118750A (en) 2023-11-24

Similar Documents

Publication Publication Date Title
US10965668B2 (en) Systems and methods to authenticate users and/or control access made by users based on enhanced digital identity verification
US10356099B2 (en) Systems and methods to authenticate users and/or control access made by users on a computer network using identity services
CN106330850B (en) Security verification method based on biological characteristics, client and server
CN106797371B (en) Method and system for user authentication
CN112182519B (en) Computer storage system security access method and access system
WO2018075314A1 (en) Systems and methods to authenticate users and/or control access made by users on a computer network using a graph score
US20210377258A1 (en) Attributed network enabled by search and retreival of privity data from a registry and packaging of the privity data into a digital registration certificate for attributing the data of the attributed network
CN108768660A (en) Internet of things equipment identity identifying method based on physics unclonable function
KR20070024633A (en) Renewable and private biometrics
CN111274046A (en) Service call validity detection method and device, computer equipment and computer storage medium
CN110268406B (en) Password security
CN105516133A (en) User identity verification method, server and client
CN102457377A (en) Role-based web remote authentication and authorization method and system thereof
US11824850B2 (en) Systems and methods for securing login access
CN118214615B (en) Unified management method and device for background authorization of multiple social media platforms
CN105830079A (en) Authentication information management system, authentication information management device, program, recording medium, and authentication information management method
KR101221728B1 (en) The certification process server and the method for graphic OTP certification
CN117118750B (en) Data sharing method and device based on white-box password, electronic equipment and medium
CN114553573A (en) Identity authentication method and device
US20200186535A1 (en) Methods, systems, apparatuses and devices for facilitating security of a resource using a plurality of credentials
CN106453273A (en) Cloud technology based information security management system and method
CN114640527B (en) Real estate registration service network security risk identification method and system based on log audit
CN113254901B (en) Data security access method and device
CN116684207B (en) Method, device, equipment and medium for processing monitoring data based on blockchain
KR102486585B1 (en) Method for Verifying User Credentials in Network, and Service Providing Server Used Therein

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant