CN117768126A

CN117768126A - Service list authentication method and device based on digital signature, medium and electronic equipment

Info

Publication number: CN117768126A
Application number: CN202311790763.6A
Authority: CN
Inventors: 蔡权伟; 冯文中; 钟明
Original assignee: Beijing Zitiao Network Technology Co Ltd
Current assignee: Beijing Zitiao Network Technology Co Ltd
Priority date: 2023-12-22
Filing date: 2023-12-22
Publication date: 2024-03-26

Abstract

The disclosure relates to a service ticket authentication method, device, medium and electronic equipment based on digital signature. The method comprises the following steps: generating a second signature according to the ciphertext information and a locally stored unified key in response to receiving the first signature and ciphertext information sent by the second server, wherein the first signature is generated by the first client based on the ciphertext information and the unified key issued by the first server when the first client is started and is sent to the second server, the ciphertext information is obtained by encrypting the identification of a user of the first client when the second server generates a target service ticket of the first client, and all clients facing the first server commonly have the unified key; and determining whether the target service ticket is valid according to the first signature and the second signature. In this way, the service ticket information can be protected while ensuring that the second server and the first server are properly reconciled.

Description

Service list authentication method and device based on digital signature, medium and electronic equipment

Technical Field

The disclosure relates to the technical field of computers, in particular to a service ticket authentication method, device, medium and electronic equipment based on digital signature.

Background

There is a scenario in which a certain company purchases a personal-oriented consulting service provided by a third party service provider as an employee benefit. However, if the company settles the fee with the provider due to the consultation, the information of the staff acquired service is leaked by the consultation record corresponding to the individual. For this concern, the current approach is that, to avoid touching the service ticket information, the company chooses to assume financial risk, not to reconcile with the service provider at all.

Therefore, there is a need for a scheme that can secure both service ticket information and also ensure adequate reconciliation of companies and service providers as payors.

Disclosure of Invention

This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

In a first aspect, the present disclosure provides a service ticket authentication method based on digital signature, applied to a first server, including:

generating a second signature according to the cryptogram information and a locally stored unified key in response to receiving the first signature and the cryptogram information sent by a second server, wherein the first signature is generated by a first client based on the cryptogram information and the unified key issued by the first server when the first client is started and sent to the second server, the cryptogram information is obtained by encrypting the identification of a user of the first client by the second server when a target service ticket of the first client is generated, and all clients facing the first server commonly own the unified key, and the first client is any one of the clients;

And determining whether the target service ticket is valid according to the first signature and the second signature.

In a second aspect, the present disclosure provides a service ticket authentication method based on digital signature, applied to a first client, including:

generating a first signature based on ciphertext information and a unified key in response to receiving ciphertext information sent by a second server, wherein the ciphertext information is obtained by encrypting an identifier of a user of the first client by the second server, the unified key is issued by the first server when the first client is started, all clients facing the first server commonly have the unified key, and the first client is any one of the clients;

the first signature is sent to the second server to send the ciphertext information and the first signature to the first server by the second server.

In a third aspect, the present disclosure provides a service ticket authentication device based on a digital signature, applied to a first server, including:

a first generation module, configured to generate a second signature according to ciphertext information and a locally stored unified key in response to receiving the first signature and ciphertext information sent by a second server, where the first signature is generated by a first client based on the ciphertext information and the unified key issued by the first server when the first client is started, and sent to the second server, and the ciphertext information is obtained by encrypting, by the second server, an identifier of a user of the first client when a target service ticket of the first client is generated, where all clients to which the first server is facing commonly possess the unified key, and the first client is any one of the all clients;

And the first determining module is used for determining whether the target service list is valid or not according to the first signature and the second signature.

In a fourth aspect, the present disclosure provides a service ticket authentication device based on digital signature, applied to a first client, including:

the second generation module is used for generating a first signature based on ciphertext information and a unified key in response to receiving ciphertext information sent by a second server, wherein the ciphertext information is obtained by encrypting the identification of a user of the first client by the second server, the unified key is issued by the first server when the first client is started, all clients facing the first server commonly have the unified key, and the first client is any one of the clients;

and the first sending module is used for sending the first signature to the second server so that the second server can send the ciphertext information and the first signature to the first server.

In a fifth aspect, the present disclosure provides a computer readable medium having stored thereon a computer program which, when executed by a processing device, implements the steps of the digital signature based service ticket authentication method provided in the first aspect of the present disclosure or the steps of the digital signature based service ticket authentication method provided in the second aspect of the present disclosure.

In a sixth aspect, the present disclosure provides an electronic device, comprising:

a storage device having a computer program stored thereon;

processing means for executing the computer program in the storage means to implement the steps of the digital signature-based service ticket authentication method provided in the first aspect of the present disclosure or the steps of the digital signature-based service ticket authentication method provided in the second aspect of the present disclosure.

In the above technical solution, after receiving the ciphertext information sent by the second server, the first client generates a first signature based on the ciphertext information and the unified key and sends the first signature to the second server, so that the second server sends the ciphertext information and the first signature to the first server; after receiving the first signature and the ciphertext information sent by the second server, the first server generates a second signature according to the ciphertext information and a locally stored unified key, and then determines whether the target service ticket is valid according to the first signature and the second signature. In this way, the first server can authenticate the validity of the service order to confirm the service order act of the first client, so that a safer authentication mechanism can be provided, and the service provider and the company can be ensured to be checked out correctly. In addition, in the service list validity authentication process, the first server and the first client do not directly perform data communication, which means that the first server cannot be positioned to a specific first client through an internal communication link; the ciphertext information is obtained by encrypting the identification of the user (namely staff) of the first client by the second server, the encryption key is held by the second server, and the first server cannot reversely acquire the identification of the user of the first client by decrypting the ciphertext information; moreover, each first client can obtain a unified key only by starting, and all clients facing the first server commonly have the unified key, so that the first server cannot reversely push which first clients are subjected to service ordering through the starting of the first clients; therefore, the first server cannot locate the specific staff corresponding to the target service list, so that the service list information can be protected while the correct reconciliation of the service provider and the company is ensured.

Additional features and advantages of the present disclosure will be set forth in the detailed description which follows.

Drawings

The above and other features, advantages, and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. The same or similar reference numbers will be used throughout the drawings to refer to the same or like elements. It should be understood that the figures are schematic and that elements and components are not necessarily drawn to scale. In the drawings:

fig. 1 is a flow chart illustrating a digital signature based service ticket authentication method according to an exemplary embodiment.

Fig. 2 is a signaling interaction diagram illustrating a digital signature-based service ticket authentication method according to an exemplary embodiment.

Fig. 3 is a signaling interaction diagram illustrating a digital signature-based service ticket authentication method according to another exemplary embodiment.

Fig. 4 is a flow chart illustrating a digital signature based service ticket authentication method according to an exemplary embodiment.

Fig. 5 is a signaling interaction diagram illustrating a digital signature-based service ticket authentication method according to another exemplary embodiment.

Fig. 6 is a signaling interaction diagram illustrating a digital signature-based service ticket authentication method according to another exemplary embodiment.

Fig. 7 is a signaling interaction diagram illustrating a digital signature-based service ticket authentication method according to another exemplary embodiment.

Fig. 8 is a signaling interaction diagram illustrating a digital signature-based service ticket authentication method according to another exemplary embodiment.

Fig. 9 is a block diagram illustrating a digital signature based service ticket authentication apparatus according to an exemplary embodiment.

Fig. 10 is a block diagram illustrating a digital signature based service ticket authentication apparatus according to an exemplary embodiment.

Fig. 11 is a schematic diagram showing a structure of an electronic device according to an exemplary embodiment.

Detailed Description

Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure have been shown in the accompanying drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but are provided to provide a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are for illustration purposes only and are not intended to limit the scope of the present disclosure.

It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order and/or performed in parallel. Furthermore, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.

The term "including" and variations thereof as used herein are intended to be open-ended, i.e., including, but not limited to. The term "based on" is based at least in part on. The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments. Related definitions of other terms will be given in the description below.

It should be noted that the terms "first," "second," and the like in this disclosure are merely used to distinguish between different devices, modules, or units and are not used to define an order or interdependence of functions performed by the devices, modules, or units.

It should be noted that references to "one", "a plurality" and "a plurality" in this disclosure are intended to be illustrative rather than limiting, and those of ordinary skill in the art will appreciate that "one or more" is intended to be understood as "one or more" unless the context clearly indicates otherwise.

The names of messages or information interacted between the various devices in the embodiments of the present disclosure are for illustrative purposes only and are not intended to limit the scope of such messages or information.

It will be appreciated that prior to using the technical solutions disclosed in the embodiments of the present disclosure, the user should be informed and authorized of the type, usage range, usage scenario, etc. of the personal information related to the present disclosure in an appropriate manner according to the relevant legal regulations.

For example, in response to receiving an active request from a user, a prompt is sent to the user to explicitly prompt the user that the operation it is requesting to perform will require personal information to be obtained and used with the user. Thus, the user can autonomously select whether to provide personal information to software or hardware such as an electronic device, an application program, a server or a storage medium for executing the operation of the technical scheme of the present disclosure according to the prompt information.

As an alternative but non-limiting implementation, in response to receiving an active request from a user, the manner in which the prompt information is sent to the user may be, for example, a popup, in which the prompt information may be presented in a text manner. In addition, a selection control for the user to select to provide personal information to the electronic device in a 'consent' or 'disagreement' manner can be carried in the popup window.

It will be appreciated that the above-described notification and user authorization process is merely illustrative and not limiting of the implementations of the present disclosure, and that other ways of satisfying relevant legal regulations may be applied to the implementations of the present disclosure.

Meanwhile, it can be understood that the data (including but not limited to the data itself, the acquisition or the use of the data) related to the technical scheme should conform to the requirements of the corresponding laws and regulations and related regulations.

Fig. 1 is a flowchart illustrating a digital signature based service ticket authentication method, which is applied to a first server, according to an exemplary embodiment. As shown in fig. 1, the method may include the following S101 and S102.

In S101, in response to receiving the first signature and the ciphertext information sent by the second server, a second signature is generated from the ciphertext information and the locally stored unified key.

In S102, it is determined whether the target service ticket is valid based on the first signature and the second signature.

In the present disclosure, the first signature is generated by the first client based on ciphertext information and a unified key issued by the first server when the first client is started, and the ciphertext information is sent to the second server, where the ciphertext information is obtained by encrypting, by the second server, an identification of a user of the first client (for example, information such as an ID of the user) when generating a target service ticket of the first client, and all clients to which the first server is directed commonly have the unified key, and the first client is any one of all clients.

The first server may be a server of a company, the second server may be a server of a service provider, the first client may be a client of the company, and all clients facing the first server commonly have the uniform key, that is, all clients owned by employees loaded by the company commonly have the uniform key.

Specifically, as shown in fig. 2, an employee may initiate a service request through a first client, and after the first client receives the service request, the first client sends the service request to a second server; after receiving a service request sent by a first client, a second server generates a target service list, encrypts the identification of a user of the first client to obtain ciphertext information, and then sends the ciphertext information to the first client, wherein the service request comprises the identification of the user of the first client; the first client responds to receiving ciphertext information sent by the second server, generates a first signature based on the ciphertext information and the unified key, and sends the first signature to the second server; the second server sends the ciphertext information and the first signature to the first server in response to receiving the first signature; the first server responds to the first signature and the ciphertext information sent by the second server, generates a second signature according to the ciphertext information and a locally stored unified key, and then determines whether the target service ticket is valid according to the first signature and the second signature.

Specifically, if the first signature is consistent with the second signature, determining that the target service list is valid, at this time, the first server may save the single number of the target service list for subsequent reconciliation, and may send first feedback information for characterizing that the target service list is valid to the second server, and the second server receives the first feedback information, at this time, the target service list is completed; if the first signature is inconsistent with the second signature, determining that the target service list is invalid, at this time, the first server may send second feedback information for representing that the target service list is invalid to the second server, and the second server receives the second feedback information, so that the target service list fails to be ordered.

In one possible implementation manner, before the step S101, the service ticket authentication method based on digital signature may further include the following three steps:

generating a first random number in response to receiving service order negotiation for a target service order sent by a second server;

transmitting the first random number to the first client via the second server to generate a first signature by the first client based on the ciphertext information, the unified key, and the first random number;

determining whether a corresponding historical service list exists in the first random number or not in response to receiving the first signature and ciphertext information sent by the second server;

at this time, the generating the second signature according to the ciphertext information and the locally stored unified key may include:

and if the first random number does not have the corresponding history service list, generating a second signature according to the ciphertext information, the locally stored unified key and the first random number.

In the present disclosure, the first random Number is a non-repeating random value, and in one embodiment, the first random Number is a Number used once (Nonce) in cryptography.

As shown in fig. 3, after generating the target service ticket, the second server may send a service ticket negotiation for the target service ticket to the first server; after receiving the service order negotiation, the first server generates a first random number, and sends the first random number to the first client through the second server so that the first client generates a first signature based on ciphertext information, a unified key and the first random number; after the first client generates the first signature, the first signature is sent to the second server, and then the second server sends the first signature and ciphertext information to the first server; after receiving the first signature and ciphertext information sent by the second server, the first server determines whether a corresponding history service list exists in the first random number, wherein the first random number is equivalent to a license which is issued to the second server by the first server and allows the second server to issue the license, and one first random number can only allow the second server to issue the license once; if the first random number has a corresponding history service list, the first random number is used for indicating that the history service list is created, and the target service list can be directly determined to be invalid, at the moment, the first server can send second feedback information used for representing that the target service list is invalid to the second server, the second server receives the second feedback information, and the target service list is failed to be placed; if the first random number does not have the corresponding history service list, the first server can generate a second signature according to the ciphertext information, the locally stored unified key and the first random number, and then determine whether the target service list is valid according to the first signature and the second signature.

In the above embodiment, the first random number corresponds to a license issued by the first server to the second server and allowed to be issued, and one first random number may be allowed to be issued only once, and if the first random number does not have a corresponding history service ticket, the second signature is generated according to the ciphertext information, the locally stored unified key, and the first random number. In this way, the service provider can be prevented from using the information of the existing staff to place an empty bill through the second server, and the financial loss risk caused by the false bill of the service provider is avoided.

In one possible implementation manner, before the step S101, the service ticket authentication method based on digital signature may further include the following steps:

determining the number of effective service orders corresponding to the ciphertext information;

and if the number of the effective service orders does not reach the preset threshold, executing the step of generating a second signature according to the ciphertext information and the locally stored unified key.

In the disclosure, if the number of the effective service orders corresponding to the ciphertext information reaches a preset threshold, sending second feedback information for representing that the target service order is invalid to a second server, wherein the target service order fails; and if the number of the effective service orders corresponding to the ciphertext information does not reach the preset threshold, executing the step of generating a second signature according to the ciphertext information and the locally stored unified key.

For multiple service requests of the same first client, the ciphertext information generated by the second server is the same, that is, the ciphertext information obtained by encrypting the identity of the user of the same first client each time by the second server is the same, so that the number of times of the first client (that is, the number of valid service orders corresponding to the ciphertext information) can be counted based on the ciphertext information, and therefore, the first server can limit the maximum number of times of the first client (that is, a preset threshold value) on the premise of not knowing the relationship between staff and orders.

For example, the identification of the user of the first client may be encrypted using a codebook (Electronic Codebook, ECB) mode of an advanced encryption standard (Advanced Encryption Standard, AES) such that the ciphertext information obtained by the second server encrypting the identification of the user of the same first client each time is the same.

In one possible implementation manner, the service ticket authentication method based on digital signature may further include the following steps:

determining whether a user of the first client has service rights or not in response to receiving a right checking instruction sent by the first client when the first client is started;

And if the user of the first client has the service authority, issuing a unified key to the first client.

In the present disclosure, when a first client is started, a right verification instruction for requesting to verify whether a user of the first client has a service right may be sent to a first server; after receiving the permission verification instruction, the first server can determine whether the user of the first client has the service permission according to the service permission white list, and if the user of the first client has the service permission, the first server issues a unified key to the first client; the first client receives the unified key to generate a first signature based on the unified key and ciphertext information. In this way, in the starting stage of the first client, the service authority of the user of the first client is verified, and the unified key issued by the first server is received only when the user of the first client has the service authority, so that the generation of the first signature and the subsequent smooth operation are ensured; under the condition that the user of the first client does not have the service authority, the first client cannot acquire the unified key issued by the first server, namely the first signature generation and the subsequent target service list verification operation cannot be performed, and at the moment, the target service list is determined to be invalid, so that the safety and the reliability of the target service list verification can be ensured.

Wherein, whether the user of the first client has the service authority can be determined according to the service authority white list by the following method: if the user of the first client is in the service authority white list, determining that the user of the first client has the service authority; if the user of the first client is not in the service authority white list, determining that the user of the first client does not have the service authority.

In order to avoid the problem that the unified key leaks to cause the second server to issue the list, the unified key may be updated according to a preset period, and specifically, the service list authentication method based on digital signature may further include the following steps:

and updating the unified key according to a preset period.

Fig. 4 is a flowchart illustrating a digital signature based service ticket authentication method, which is applied to a first client, according to an exemplary embodiment. As shown in fig. 4, the method may include the following S201 and S202.

In S201, in response to receiving the ciphertext information transmitted by the second server, a first signature is generated based on the ciphertext information and the unified key.

The ciphertext information is obtained by encrypting the user identification of the first client by the second server, the unified key is issued by the first server when the first client is started, all clients facing the first server commonly have the unified key, and the first client is any one of all clients.

In S202, the first signature is transmitted to the second server to transmit the ciphertext information and the first signature to the first server by the second server.

In one possible embodiment, before the step of generating the first signature based on the ciphertext information and the unified key, the digital signature-based service ticket authentication method applied to the first client may further include the steps of:

generating indication information for indicating whether to confirm the order or not in response to receiving the ciphertext information;

and if the confirmation order instruction is received within the preset time for generating the indication information, executing the step of generating the first signature based on the ciphertext information and the unified key.

As shown in fig. 5, after receiving the ciphertext information sent by the second server, the first client may generate indication information for indicating whether to confirm the order in a pop-up window, voice, or other form, so that the employee can confirm whether to make the order; if a confirmation order instruction is received within a preset time (for example, 1 minute) for generating the indication information, executing the step of generating a first signature based on the ciphertext information and the unified key; if the order confirmation instruction is not received within the preset time for generating the indication information, the first client can send third feedback information for representing that the staff does not confirm the order to the second server; and the second server receives the third feedback information, and the target service list fails to be ordered.

In the above embodiment, the first signature is generated only when the user of the first client confirms the order, which means that only one service order can be created in a single confirmation of the user of the first client, so that the possibility that the second server uses the information of the existing employee to place an empty order without the employee's knowledge is eliminated.

In one possible implementation manner, the service ticket authentication method based on digital signature applied to the first client may further include the following steps:

receiving a first random number sent by a second server;

generating a first signature based on ciphertext information and a unified key, comprising:

a first signature is generated based on the ciphertext information, the unified key, and the first random number.

generating a third signature based on the second random number in response to receiving the second random number sent by the second server, wherein the second random number and the ciphertext information are sent to the first client side by the second server;

the third signature is sent to the second server to send the ciphertext information and the first signature to the first client if the fourth signature generated based on the second random number matches the third signature.

As shown in fig. 6, when receiving a service request sent by the first client, the second server may generate a second random number, and send the second random number and ciphertext information to the first client; the first client responds to the received second random number and ciphertext information sent by the second server, generates a first signature based on the ciphertext information and the unified key, generates a third signature based on the second random number, and then sends the first signature and the third signature to the second server; the second server generates a fourth signature based on the second random number after receiving the first signature and the third signature, and determines whether the third signature and the fourth signature are consistent; if the third signature is consistent with the fourth signature, the step of sending the ciphertext information and the first signature to the first server is performed, and if the third signature is inconsistent with the fourth signature, the ciphertext information and the second random number may be tampered during the process of being transmitted from the second server to the first client, at this time, the second server may directly determine that the target service ticket is invalid, without performing the step of sending the ciphertext information and the first signature to the first server and other operations after the step. Therefore, the safety and reliability of target service list verification can be ensured.

when a first client is started, sending a right checking instruction for requesting to verify whether a user of the first client has service right or not to a first server;

a unified key issued by a first server upon determining that a user of a first client has service rights is received.

In one possible implementation, as shown in fig. 7, an employee may initiate a service request through a first client, and after the first client receives the service request, the first client sends the service request to a second server; after receiving a service request sent by a first client, a second server generates a target service list and a second random number, encrypts the identification of a user of the first client to obtain ciphertext information, and then sends a service list negotiation for the target service list to the first server; after receiving the service order negotiation, the first server generates a first random number and sends the first random number to the second server; after receiving the first random number, the second server sends the first random number, the second random number and ciphertext information to the first client; after receiving the first random number, the second random number and the ciphertext information, the first client generates indication information for indicating whether to confirm the order or not, so that staff can confirm whether to order or not; if a confirmation order-making instruction is received within a preset time length for generating the indication information, generating a first signature based on the ciphertext information, the unified key and the first random number, generating a third signature based on the second random number, and transmitting the first signature and the third signature to a second server; if the order confirmation instruction is not received within the preset time for generating the indication information, the first client can send third feedback information for representing that the staff does not confirm the order to the second server; the second server receives the third feedback information, and the target service order fails, at which point the flow (not shown in fig. 7) ends.

After receiving the first signature and the third signature, the second server generates a fourth signature based on the second random number and determines whether the third signature and the fourth signature are consistent, if the third signature and the fourth signature are consistent, the ciphertext information and the first signature are sent to the first server, and if the third signature and the fourth signature are inconsistent, the ciphertext information and the second random number are indicated to be possibly tampered with in the process of being transmitted from the second server to the first client, at this time, the second server can directly determine that the target service ticket is invalid, and the process (not shown in fig. 7) is ended.

After receiving the first signature and ciphertext information sent by the second server, the first server determines whether a corresponding history service list exists in the first random number; if the first random number has a corresponding historical service list, the target service list can be directly determined to be invalid, at this time, the first server can send second feedback information for representing that the target service list is invalid to the second server, the second server receives the second feedback information, the target service list fails to be ordered, and the flow (not shown in fig. 7) is ended; if the first random number does not have the corresponding history service list, the fact that the history service list is not created by the first random number is indicated, at this time, a second signature can be generated according to ciphertext information, a locally stored unified key and the first random number, and then whether the target service list is effective or not is determined according to the first signature and the second signature.

In one possible implementation, the first client communicates with the second server through the second client, i.e., the second client acts as a communication medium between the first client and the second server (as shown in fig. 8), wherein the employee may initiate the service request through the second client. Wherein the second client may be a client of a service provider.

The specific operation of the digital signature-based service ticket authentication method applied to the first client side is described in detail above in conjunction with fig. 2, 3 and 5-8, and will not be repeated here.

Fig. 9 is a block diagram illustrating a digital signature based service ticket authentication apparatus 900 applied to a first server according to an exemplary embodiment. As shown in fig. 9, the digital signature-based service ticket authentication apparatus 900 may include:

a first generation module 901, configured to generate, in response to receiving a first signature and ciphertext information sent by a second server, a second signature according to the ciphertext information and a locally stored unified key, where the first signature is generated by a first client based on the ciphertext information and the unified key issued by the first server when the first client is started, and sent to the second server, and the ciphertext information is obtained by encrypting, by the second server, an identifier of a user of the first client when a target service ticket of the first client is generated, where all clients to which the first server faces commonly possess the unified key, and the first client is any one of the all clients;

A first determining module 902, configured to determine whether the target service ticket is valid according to the first signature and the second signature.

Optionally, the apparatus 900 further includes:

a third generation module, configured to generate, before the first generation module 901 generates a second signature according to the ciphertext information and a locally stored unified key, a first random number in response to receiving a service order negotiation for the target service order sent by the second server, where the first random number is a non-repeated random value;

a second sending module, configured to send the first random number to the first client via the second server, so that the first client generates the first signature based on the ciphertext information, the unified key, and the first random number;

the second determining module is used for determining whether the first random number has a corresponding history service list or not in response to receiving the first signature and the ciphertext information sent by the second server;

the first generating module 901 is configured to generate a second signature according to the ciphertext information, the locally stored unified key, and the first random number if the first random number does not have the corresponding history service ticket.

Optionally, for multiple service requests of the first client, the ciphertext information generated by the second server is the same;

The apparatus 900 further comprises:

a third determining module, configured to determine, before the first generating module 901 generates a second signature according to the ciphertext information and a locally stored unified key, a number of valid service tickets corresponding to the ciphertext information;

and the first triggering module is configured to trigger the first generating module 901 to generate a second signature according to the ciphertext information and the locally stored unified key if the number does not reach the preset threshold.

Optionally, the apparatus 900 further includes:

a fourth determining module, configured to determine whether the user has a service right in response to receiving a right checking instruction sent by the first client when the first client is started;

and the third sending module is used for sending the unified key to the first client if the user has the service authority.

Optionally, the apparatus 900 further includes:

and the updating module is used for updating the unified key according to a preset period.

Fig. 10 is a block diagram illustrating a digital signature based service ticket authentication apparatus 1000 applied to a first client according to an exemplary embodiment. As shown in fig. 10, the digital signature-based service ticket authentication apparatus 1000 includes:

A second generating module 1001, configured to generate, in response to receiving ciphertext information sent by a second server, a first signature based on the ciphertext information and a unified key, where the ciphertext information is obtained by encrypting, by the second server, an identifier of a user of the first client, the unified key is issued by the first server when the first client is started, all clients faced by the first server commonly own the unified key, and the first client is any one of the all clients;

a first sending module 1002, configured to send the first signature to the second server, so that the second server sends the ciphertext information and the first signature to the first server.

Optionally, the apparatus 1000 further includes:

a fourth generation module, configured to generate, in response to receiving the ciphertext information, indication information for indicating whether to confirm the order before the second generation module 1001 generates a first signature based on the ciphertext information and a unified key;

and the second triggering module is configured to trigger the second generating module 1001 to generate a first signature based on the ciphertext information and the unified key if the confirmation order instruction is received within a preset duration of generating the indication information.

Optionally, the apparatus 1000 further includes:

the first receiving module is used for receiving the first random number sent by the second server;

the second generating module 1001 is configured to generate a first signature based on the ciphertext information, the unified key, and the first random number.

Optionally, the apparatus 1000 further includes:

a fifth generation module, configured to generate a third signature based on a second random number in response to receiving the second random number sent by the second server, where the second random number and the ciphertext information are sent by the second server to the first client together;

the first sending module 1002 is further configured to send the third signature to the second server, so that the second server sends the ciphertext information and the first signature to the first client if a fourth signature generated based on the second random number is consistent with the third signature.

Optionally, the apparatus 1000 further includes:

the fourth sending module is used for sending a right checking instruction for requesting to verify whether the user has service right or not to the first server when the first client is started;

and the second receiving module is used for receiving the unified key issued by the first server when the user is determined to have the service right.

Optionally, the first client communicates with the second server through a second client.

The present disclosure also provides a computer-readable medium having stored thereon a computer program which, when executed by a processing device, implements the steps of the above-described digital signature-based service ticket authentication method applied to a first server provided by the present disclosure or the steps of the above-described digital signature-based service ticket authentication method applied to a first client provided by the present disclosure.

Referring now to fig. 11, a schematic diagram of an electronic device (e.g., a terminal device or server) 600 suitable for use in implementing embodiments of the present disclosure is shown. The terminal devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 11 is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present disclosure.

As shown in fig. 11, the electronic device 600 may include a processing means (e.g., a central processing unit, a graphic processor, etc.) 601, which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for the operation of the electronic apparatus 600 are also stored. The processing device 601, the ROM 602, and the RAM 603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.

In general, the following devices may be connected to the I/O interface 605: input devices 606 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, and the like; an output device 607 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 608 including, for example, magnetic tape, hard disk, etc.; and a communication device 609. The communication means 609 may allow the electronic device 600 to communicate with other devices wirelessly or by wire to exchange data. While fig. 11 shows an electronic device 600 having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.

In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a non-transitory computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via communication means 609, or from storage means 608, or from ROM 602. The above-described functions defined in the methods of the embodiments of the present disclosure are performed when the computer program is executed by the processing device 601.

It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.

In some implementations, the clients, servers may communicate using any currently known or future developed network protocol, such as HTTP (HyperText Transfer Protocol ), and may be interconnected with any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the internet (e.g., the internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed networks.

The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.

The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to:

generating a second signature according to the cryptogram information and a locally stored unified key in response to receiving the first signature and the cryptogram information sent by a second server, wherein the first signature is generated by a first client based on the cryptogram information and the unified key issued by the first server when the first client is started and sent to the second server, the cryptogram information is obtained by encrypting the identification of a user of the first client by the second server when a target service ticket of the first client is generated, and all clients facing the first server commonly own the unified key, and the first client is any one of the clients; and determining whether the target service ticket is valid according to the first signature and the second signature.

Alternatively, the computer-readable medium carries one or more programs that, when executed by the electronic device, cause the electronic device to: generating a first signature based on ciphertext information and a unified key in response to receiving ciphertext information sent by a second server, wherein the ciphertext information is obtained by encrypting an identifier of a user of the first client by the second server, the unified key is issued by the first server when the first client is started, all clients facing the first server commonly have the unified key, and the first client is any one of the clients; the first signature is sent to the second server to send the ciphertext information and the first signature to the first server by the second server.

Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including, but not limited to, an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The modules described in the embodiments of the present disclosure may be implemented in software or hardware. The name of the module is not limited to the module itself in some cases, for example, the second generation module may also be described as "a module that generates the first signature based on the ciphertext information and the unified key in response to receiving the ciphertext information transmitted by the second server".

The functions described above herein may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), an Application Specific Standard Product (ASSP), a system on a chip (SOC), a Complex Programmable Logic Device (CPLD), and the like.

In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

According to one or more embodiments of the present disclosure, example 1 provides a service ticket authentication method based on digital signature, applied to a first server, including: generating a second signature according to the cryptogram information and a locally stored unified key in response to receiving the first signature and the cryptogram information sent by a second server, wherein the first signature is generated by a first client based on the cryptogram information and the unified key issued by the first server when the first client is started and sent to the second server, the cryptogram information is obtained by encrypting the identification of a user of the first client by the second server when a target service ticket of the first client is generated, and all clients facing the first server commonly own the unified key, and the first client is any one of the clients; and determining whether the target service ticket is valid according to the first signature and the second signature.

In accordance with one or more embodiments of the present disclosure, example 2 provides the method of example 1, before the step of generating the second signature from the ciphertext information and the locally stored unified key, the method further comprising: generating a first random number in response to receiving service order negotiation for the target service order sent by the second server, wherein the first random number is a non-repeated random value; transmitting the first random number to the first client via the second server to generate the first signature by the first client based on the ciphertext information, the unified key, and the first random number; determining whether a corresponding history service ticket exists in the first random number or not in response to receiving the first signature and the ciphertext information sent by the second server; the generating a second signature according to the ciphertext information and the locally stored unified key comprises the following steps: and if the first random number does not have the corresponding history service list, generating a second signature according to the ciphertext information, the locally stored unified key and the first random number.

According to one or more embodiments of the present disclosure, example 3 provides the method of example 1, wherein the ciphertext information generated by the second server is the same for multiple service requests of the first client; before the step of generating a second signature from the ciphertext information and a locally stored unified key, the method further comprises: determining the number of effective service orders corresponding to the ciphertext information; and if the number does not reach the preset threshold, executing the step of generating a second signature according to the ciphertext information and the locally stored unified key.

According to one or more embodiments of the present disclosure, example 4 provides the method of any one of examples 1-3, the method further comprising: determining whether the user has service rights or not in response to receiving a right checking instruction sent by the first client when the first client is started; and if the user has the service authority, the unified key is issued to the first client.

According to one or more embodiments of the present disclosure, example 5 provides the method of any one of examples 1-3, the method further comprising: and updating the unified key according to a preset period.

Example 6 provides a digital signature-based service ticket authentication method, applied to a first client, according to one or more embodiments of the present disclosure, comprising: generating a first signature based on ciphertext information and a unified key in response to receiving ciphertext information sent by a second server, wherein the ciphertext information is obtained by encrypting an identifier of a user of the first client by the second server, the unified key is issued by the first server when the first client is started, all clients facing the first server commonly have the unified key, and the first client is any one of the clients; the first signature is sent to the second server to send the ciphertext information and the first signature to the first server by the second server.

In accordance with one or more embodiments of the present disclosure, example 7 provides the method of example 6, before the step of generating the first signature based on the ciphertext information and the unified key, the method further comprising: generating indication information for indicating whether to confirm the order or not in response to receiving the ciphertext information; and if the confirmation order instruction is received within the preset time for generating the indication information, executing the step of generating the first signature based on the ciphertext information and the unified key.

Example 8 provides the method of example 6, according to one or more embodiments of the present disclosure, the method further comprising: receiving a first random number sent by the second server; the generating a first signature based on the ciphertext information and the unified key includes: a first signature is generated based on the ciphertext information, the unified key, and the first random number.

Example 9 provides the method of example 6, according to one or more embodiments of the present disclosure, the method further comprising: generating a third signature based on a second random number in response to receiving the second random number sent by the second server, wherein the second random number and the ciphertext information are sent to the first client by the second server together; the third signature is sent to the second server, and the second server sends the ciphertext information and the first signature to the first client when a fourth signature generated based on the second random number is consistent with the third signature.

Example 10 provides the method of example 6, according to one or more embodiments of the present disclosure, the method further comprising: when the first client is started, sending a right checking instruction for requesting to verify whether the user has service right or not to the first server; and receiving the unified key issued by the first server when the user is determined to have the service right.

Example 11 provides the method of any of examples 6-10, the first client in communication with the second server through a second client, according to one or more embodiments of the present disclosure.

In accordance with one or more embodiments of the present disclosure, example 12 provides a digital signature-based service ticket authentication apparatus applied to a first server, comprising: a first generation module, configured to generate a second signature according to ciphertext information and a locally stored unified key in response to receiving the first signature and ciphertext information sent by a second server, where the first signature is generated by a first client based on the ciphertext information and the unified key issued by the first server when the first client is started, and sent to the second server, and the ciphertext information is obtained by encrypting, by the second server, an identifier of a user of the first client when a target service ticket of the first client is generated, where all clients to which the first server is facing commonly possess the unified key, and the first client is any one of the all clients; and the first determining module is used for determining whether the target service list is valid or not according to the first signature and the second signature.

Example 13 provides a digital signature based service ticket authentication apparatus, applied to a first client, comprising: the second generation module is used for generating a first signature based on ciphertext information and a unified key in response to receiving ciphertext information sent by a second server, wherein the ciphertext information is obtained by encrypting the identification of a user of the first client by the second server, the unified key is issued by the first server when the first client is started, all clients facing the first server commonly have the unified key, and the first client is any one of the clients; and the first sending module is used for sending the first signature to the second server so that the second server can send the ciphertext information and the first signature to the first server.

According to one or more embodiments of the present disclosure, example 14 provides a computer-readable medium having stored thereon a computer program which, when executed by a processing device, implements the steps of the method of any of examples 1-11.

Example 15 provides an electronic device according to one or more embodiments of the present disclosure, comprising: a storage device having a computer program stored thereon; processing means for executing the computer program in the storage means to implement the steps of the method of any one of examples 1-11.

The foregoing description is only of the preferred embodiments of the present disclosure and description of the principles of the technology being employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in this disclosure is not limited to the specific combinations of features described above, but also covers other embodiments which may be formed by any combination of features described above or equivalents thereof without departing from the spirit of the disclosure. Such as those described above, are mutually substituted with the technical features having similar functions disclosed in the present disclosure (but not limited thereto).

Moreover, although operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the present disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.

Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are example forms of implementing the claims. The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.

Claims

1. A service ticket authentication method based on digital signature, which is applied to a first server, comprising:

2. The method of claim 1, wherein prior to the step of generating a second signature from the ciphertext information and a locally stored unified key, the method further comprises:

generating a first random number in response to receiving service order negotiation for the target service order sent by the second server, wherein the first random number is a non-repeated random value;

transmitting the first random number to the first client via the second server to generate the first signature by the first client based on the ciphertext information, the unified key, and the first random number;

determining whether a corresponding history service ticket exists in the first random number or not in response to receiving the first signature and the ciphertext information sent by the second server;

the generating a second signature according to the ciphertext information and the locally stored unified key comprises the following steps:

3. The method of claim 1, wherein the ciphertext information generated by the second server is the same for multiple service requests of the first client;

before the step of generating a second signature from the ciphertext information and a locally stored unified key, the method further comprises:

and if the number does not reach the preset threshold, executing the step of generating a second signature according to the ciphertext information and the locally stored unified key.

4. A method according to any one of claims 1-3, characterized in that the method further comprises:

determining whether the user has service rights or not in response to receiving a right checking instruction sent by the first client when the first client is started;

and if the user has the service authority, the unified key is issued to the first client.

5. A method according to any one of claims 1-3, characterized in that the method further comprises:

and updating the unified key according to a preset period.

6. A service ticket authentication method based on digital signature, which is applied to a first client, comprising:

7. The method of claim 6, wherein prior to the step of generating a first signature based on the ciphertext information and a unified key, the method further comprises:

8. The method of claim 6, wherein the method further comprises:

receiving a first random number sent by the second server;

the generating a first signature based on the ciphertext information and the unified key includes:

9. The method of claim 6, wherein the method further comprises:

generating a third signature based on a second random number in response to receiving the second random number sent by the second server, wherein the second random number and the ciphertext information are sent to the first client by the second server together;

the third signature is sent to the second server, and the second server sends the ciphertext information and the first signature to the first client when a fourth signature generated based on the second random number is consistent with the third signature.

10. The method of claim 6, wherein the method further comprises:

when the first client is started, sending a right checking instruction for requesting to verify whether the user has service right or not to the first server;

And receiving the unified key issued by the first server when the user is determined to have the service right.

11. The method according to any of claims 6-10, wherein the first client communicates with the second server via a second client.

12. A digital signature-based service ticket authentication apparatus, applied to a first server, comprising:

13. A digital signature-based service ticket authentication device, applied to a first client, comprising:

14. A computer readable medium on which a computer program is stored, characterized in that the program, when being executed by a processing device, carries out the steps of the method according to any one of claims 1-11.

15. An electronic device, comprising:

a storage device having a computer program stored thereon;

processing means for executing said computer program in said storage means to carry out the steps of the method according to any one of claims 1-11.