WO2015003521A1 - Operation request processing method and system - Google Patents

Operation request processing method and system Download PDF

Info

Publication number
WO2015003521A1
WO2015003521A1 PCT/CN2014/076443 CN2014076443W WO2015003521A1 WO 2015003521 A1 WO2015003521 A1 WO 2015003521A1 CN 2014076443 W CN2014076443 W CN 2014076443W WO 2015003521 A1 WO2015003521 A1 WO 2015003521A1
Authority
WO
WIPO (PCT)
Prior art keywords
operation request
request
data packet
terminal
system server
Prior art date
Application number
PCT/CN2014/076443
Other languages
French (fr)
Chinese (zh)
Inventor
李东声
Original Assignee
天地融科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天地融科技股份有限公司 filed Critical 天地融科技股份有限公司
Publication of WO2015003521A1 publication Critical patent/WO2015003521A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present invention relates to the field of electronic technologies, and in particular, to a method and system for processing an operation request. Background technique
  • the leader of the enterprise may authorize the employee to perform related operations; the individual may also authorize the agent to perform related operations.
  • the existing authorization is authorized by the enterprise leader to sign the authorization or the individual to handle the relevant authorization procedures to authorize the agent to perform related operations.
  • both the enterprise and the individual must be present to be authorized, otherwise it is necessary to wait for the authorized person to be present to authorize. , easy to lead to business opportunities, great inconvenience management and authorization. Summary of the invention
  • the present invention aims to solve the problem of inconvenience of the existing authorization scheme.
  • the main object of the present invention is to provide a processing method for an operation request
  • Another object of the present invention is to provide a processing system for an operation request.
  • An aspect of the present invention provides a processing method for an operation request, including: acquiring, by a first terminal, operation content; acquiring, by the first terminal, an operation request generation policy, and generating an operation request according to the operation request and the operation content generation operation request
  • the first terminal sends the operation request to the background system server; the background system server verifies the legality of the operation request after obtaining the operation request; the background system server is verifying the After the operation request is legal, the operation request is sent to the second terminal; after obtaining the operation request, the second terminal acquires a request sending policy, and sends an operation request data packet to the authorized electronic according to the request sending policy.
  • a signature token where the operation request data packet is generated according to the request sending policy and the operation request; the authorized electronic signature token prompts the operation request data packet; the authorized electronic signature order Receiving a confirmation command, and requesting data for the operation according to the confirmation instruction
  • the packet is signed to obtain a signature data packet; the authorized electronic signature token sends the signature data packet to the second terminal; the second terminal sends the signature data packet and the operation request data packet to a background system server; the background system server verifies the signature data packet; After the background system server verifies that the signature data packet is passed, the background system server executes the operation request according to the operation request data packet.
  • the step of acquiring the operation request generation policy by the first terminal, and generating the operation request and the operation content generation operation request according to the operation request include: the first terminal acquiring the identity identification information and the authorization password; The terminal generates the operation request according to the identity identification information, the authorization password, and the operation content; the step of the background system server verifying the legality of the operation request after obtaining the operation request includes: After obtaining the operation request, the background system server verifies the correctness of the authorization password according to the identity identification information. If the authorization password is verified to be correct, the operation request is verified to be legal.
  • the authorization password is a dynamic password or a static password.
  • the step of acquiring the operation request generation policy by the first terminal, and generating the operation request and the operation content generation operation request according to the operation request the first terminal acquiring the identity identification information and the signature information, where The signature information is obtained by signing the operation content; the first terminal generates the operation request according to the identity identification information, the signature information, and the operation content; the background system server obtains the operation
  • the step of verifying the legality of the operation request includes: after the obtaining the operation request, the background system server verifies the correctness of the signature information according to the identity identification information and the operation content, if the verification If the signature information is correct, the operation request is verified to be legal.
  • the second terminal After the operation request, the forwarding policy is obtained; the second terminal sends the operation request as an operation request data packet to the authorized electronic signature token.
  • the second terminal is: After the operation request, acquiring a process and transmitting a policy; the second terminal processing the operation request according to the processing and sending policy to generate an operation request data packet, and sending the operation request according to the processing and sending a policy The packet is sent to the authorized electronic signature token.
  • the operation content includes: transfer request information, logistics request information, access request information, or acquisition request information
  • the step of performing the operation request according to the operation request data packet includes: after the background system server verifies that the signature data packet is passed, according to the Transmitting the request information to perform a transfer operation; after verifying that the signed data packet is passed, the background system server performs a logistics operation according to the logistics request information; after the background system server verifies that the signature data packet is passed, Performing an access permission setting operation according to the access request information; or the background system server performs a sending operation according to the obtaining request after verifying that the signed data packet passes.
  • Another aspect of the present invention provides a processing system for operating an operation, including: a first terminal, a background system server, a second terminal, and an authorized electronic signature token; wherein the first terminal acquires an operation content, and acquires an operation request to generate a policy, and according to the operation request generation policy and the operation content generation operation request, sending the operation request to the background system server; after the background system server obtains the operation request, verifying the operation request Legitimate, after verifying that the operation request is legal, sending the operation request to the second terminal, verifying the signature data packet, and after verifying that the signature data packet passes, requesting the data packet according to the operation After the operation request is obtained, the second terminal acquires a request sending policy, and sends an operation request data packet to the authorized electronic signature token according to the request sending policy, where An operation request packet is a policy according to the request and the operation And generating, by the request, the signature data packet and the operation request data packet to the background system server; the authorized electronic signature token prompting the operation request data packet, receiving the confirmation instruction, and
  • the first terminal acquires the identity identification information and the authorization password, and generates the operation request according to the identity identification information, the authorization password, and the operation content; after the background system server obtains the operation request, And verifying the correctness of the authorization password according to the identity identification information, and if the authorization password is verified to be correct, verifying that the operation request is legal.
  • the authorization password is a dynamic password or a static password.
  • the first terminal acquires the identity identification information and the signature information, where the signature information is obtained by signing the operation content, and generating, according to the identity identification information, the signature information, and the operation content.
  • the background system server verifies the correctness of the signature information according to the identity identification information and the operation content, and if the signature information is verified to be correct, the operation is verified. The request is legal.
  • the second terminal acquires a forwarding policy, and sends the operation request as an operation request data packet to the authorized electronic signature token.
  • the second terminal acquires a process and sends a policy, and processes the operation request according to the processing and sending policy to generate an operation request data packet, and according to the processing and sending the policy,
  • the operation request packet is sent to an authorized electronic signature token.
  • the operation content includes: transfer request information, logistics request information, access request information, or acquisition request information
  • the background system server performs a transfer operation according to the transfer request information; after the background system server verifies that the signature data packet is passed, performs execution of the logistics according to the logistics request information. After the verification, the background system server performs an access permission setting operation according to the access request information after verifying that the signature data packet passes; or the background system server, after verifying that the signature data packet passes, according to the obtaining request Perform the send operation.
  • the processing method and system using the operation request of the present invention can be approved in an electronic form, which is convenient to use and ensures the security and non-repudiation of the approval.
  • FIG. 1 is a flowchart of a method for processing an operation request provided by the present invention
  • FIG. 2 is a schematic structural diagram of a processing system for an operation request provided by the present invention. detailed description
  • connection In the description of the present invention, it should be noted that the terms “installation”, “connected”, and “connected” are to be understood broadly, and may be fixed or detachable, for example, unless otherwise explicitly defined and defined. Connected, or connected in one piece; can be mechanical or electrical; can be directly connected or indirectly connected through an intermediate medium, It is the internal connection between the two components.
  • the specific meanings of the above terms in the present invention can be understood in the specific circumstances by those skilled in the art.
  • FIG. 1 is a flowchart showing a processing method of an operation request according to the present invention.
  • the processing method of the operation request of the present invention includes:
  • Step S101 The first terminal acquires an operation content.
  • the first terminal may be a terminal used by the employee, may be a terminal used by the agent, or a terminal used by the requester; to implement a corresponding request by using the first terminal.
  • the first terminal may be a fixed terminal or a mobile terminal
  • the fixed terminal may be: a PC, an ATM, or a POS.
  • the mobile terminal may be: a laptop, a tablet, a smart phone, or a handheld POS.
  • the first terminal can connect to the background system server by wire or wirelessly to implement the corresponding request.
  • the operation content of the present invention may be any of the following:
  • Transfer request information for example: requesting bank transfer business
  • Logistics request information for example: requesting the leader to approve the business sent by the logistics;
  • Access request information for example: requesting access to a host or server's business;
  • Obtain the request information for example: request to obtain permission from a host or server for file download, or request decryption information of downloaded encrypted information from a host or server.
  • the operation content of the present invention may further include the detailed information of the above request and the like.
  • Step S102 The first terminal acquires an operation request generation policy, and generates an operation request according to the operation request and an operation content generation operation request.
  • the operation request generation policy may include generating an operation request according to any one of the following contents:
  • Identity information and authorization password if an authorization password is used, it is simple and easy; of course, the authorization password is a dynamic password or a static password, and the dynamic password can be a dynamic password generated by a dynamic port token, which can be set in advance. With dynamic passwords, security is higher, and static passwords are simple and easy to use. Or
  • the signature information may be obtained by signing the operation content of the key of the key held by the user, and if the signature information is used, the security is improved and the repudiation is prevented.
  • the present invention can set different levels according to the complexity of the user operation request to obtain a static password, a dynamic password or signature information, and the above security level is increased step by step. For example: When the transfer amount is small, you can choose the method of obtaining the static password. When the transfer amount is large, you can choose the way to obtain the signature information.
  • the first terminal may combine the identity identification information, the authorization password, and the operation content to generate an operation request, and may also combine the identity identification information, the calculated authorization password, and the operation content into an operation request after calculating the authorization password.
  • the calculation of the authorization password may be a calculation of the MAC value of the authorization password or a calculation of the HASH value of the authorization password, and may be a partial value of the calculated MAC value or HASH value.
  • the calculation of the authorization password ensures the security of the authorized password transmission and prevents the authorization password from being obtained.
  • the first terminal may also directly generate an operation request for encrypting the identity information, the authorization password, and the operation content, and the encrypted transmission improves security.
  • the first terminal obtains the identity information and the signature information, wherein the signature information is obtained by signing the operation content
  • the first terminal generates an operation request according to the identity identification information, the signature information, and the operation content.
  • the first terminal may combine the identity information, the signature information, and the operation content to generate an operation request, or the first terminal encrypts the identity identification information, the signature information, and the operation content to generate an operation request, and the encrypted transmission improves security.
  • Step S103 the first terminal sends an operation request to the background system server
  • Step S104 After obtaining the operation request, the background system server verifies the legality of the operation request.
  • the background system server verifies the correctness of the authorization password according to the identity identification information after obtaining the operation request, if the authorization is verified If the password is correct, the verification operation request is legal.
  • the background system server decrypts the encrypted information and then verifies it.
  • the static password may be pre-stored in the background system server, and has a correspondence relationship with the identity identification information, and the background system server searches for the pre-stored static password according to the identity identification information. If the first terminal calculates the MAC value or the HASH value for the static password, the background system server also uses the same method to calculate the MAC value or HASH value of the found static password in the same manner for verification.
  • the background system server can generate the verification password in the same manner as the dynamic port token that generates the dynamic password, so that the generated verification password is consistent with the received dynamic password.
  • the backend system server generates a check password in a manner corresponding to the identity identifier information, and the background system server searches for a check password according to the identity identifier information and generates a check password. If the first terminal calculates a MAC value or a HASH value for the dynamic password. Then, the background system server calculates the MAC value or HASH value of the generated dynamic password in the same manner in the verification.
  • the background system server obtains the operation request, Verify the correctness of the signature information based on the identity information and the operation content. If the signature information is correct, the verification operation request is legal.
  • the background system server pre-stores the public key of the key held by the user, and the public key has a correspondence relationship with the identity identification information, and the background system server searches for the public key according to the identity identification information, according to the found public key and the received operation content. The signature information is checked, and the verification request is valid.
  • the subsequent operations can be performed to ensure the authenticity, legality, and security of the subsequent operations.
  • Step S105 After the verification operation request is legal, the background system server sends the operation request to the second terminal.
  • the second terminal may be a terminal used by the leader, may be a terminal used by the authorized person, or used by the approver. a terminal; to implement a corresponding authorization operation by using the second terminal.
  • the second terminal may be a fixed terminal or a mobile terminal.
  • the fixed terminal may be: a PC, an ATM, or a POS.
  • the mobile terminal may be: a laptop, a tablet, a smart phone, or a handheld POS.
  • the second terminal can connect to the background system server by wire or wirelessly to implement a corresponding authorization operation.
  • Step S106 After obtaining the operation request, the second terminal acquires the request sending policy, and sends the operation request data packet to the authorized electronic signature token according to the request sending policy, where the operation request data packet is sent according to the request and the operation request. Generated;
  • the second terminal may directly forward the operation request, and may process the operation request and then send the message; if directly forwarding, the operation is simple and convenient, and if the operation request is processed and then sent, the second terminal may be improved. Increase the content of the operation, easy to use.
  • the second terminal After obtaining the operation request, the second terminal directly forwards the operation request in the following manner: The second terminal acquires the forwarding policy, and sends the operation request as an operation request data packet to the authorized electronic signature token. After obtaining the operation request, the second terminal may process the operation request and then send the following: The second terminal acquires the processing and sends the policy, and processes the operation request according to the processing and sending policy to generate an operation request data packet, and according to the processing And send a policy to send the operation request packet to the authorized electronic signature token.
  • This processing can be any operation such as adding a permission setting when requesting access to a host or server.
  • other operations related to the operation request can be added to improve security.
  • Step S107 authorizing the electronic signature token to prompt the operation request data packet
  • the authorized electronic signature token is a key used by the leader, the authorized person, or the approver, and may be a key that can be matched with the second terminal, such as a USB key, a Bluetooth key, an infrared key, an NFC key, an audio key, and the like.
  • the authorized electronic signature token displays or voice prompts the operation request data packet, or extracts key information in the operation request data packet for display or voice prompt to prompt the user to know the operation request.
  • the request is manipulated to determine if the operational request can be approved.
  • the authorized electronic signature token receives the confirmation instruction, and signs the operation request data packet according to the confirmation instruction to obtain the signature data packet;
  • the authorized electronic signature token signs the operation request data packet according to the private key of the authorized electronic signature token to obtain a signature data packet.
  • Step S109 authorizing the electronic signature token to send the signature data packet to the second terminal
  • Step S110 The second terminal sends the signature data packet and the operation request data packet to the background system server.
  • the background system server prestores the public key of the authorized electronic signature token. After the background system server receives the signature data packet and the operation request data packet, the public key corresponding to the authorized electronic signature token may be found according to the identity identification information. , verifying the signature packet based on the public key.
  • Step S112 After verifying that the signature data packet is passed, the background system server performs an operation request according to the operation request data packet.
  • the background system server performs the operation request according to the operation request data packet after verifying that the signature data packet is passed, thereby ensuring the authenticity and security of the operation request.
  • the background system server After the background system server verifies that the signature packet has passed, it can perform the following different operations:
  • the sending operation is performed according to the acquisition request.
  • FIG. 2 is a schematic structural diagram of a processing system for operating an operation request, and the processing system of the operation request of the present invention adopts the processing method of the above operation request, which is not described herein, and only the structure of the processing system for the operation request and The respective functions are briefly described. Referring to FIG.
  • the processing system for the operation request includes: a first terminal 201, a background system server 202, a second terminal 203, and an authorized electronic signature token 204;
  • the first terminal 201 obtains the operation content, acquires the operation request generation policy, and generates an operation request and an operation content generation operation request according to the operation request, and sends the operation request to the background system server 202.
  • the operation content may include: the transfer request information, the logistics request Information, access request information, or get request information.
  • the background system server 202 After obtaining the operation request, the background system server 202 verifies the legality of the operation request. After the verification operation request is legal, the operation request is sent to the second terminal 203 to verify the signature data packet, after verifying that the signature data packet is passed, according to the verification The operation request packet performs an operation request;
  • the second terminal 203 After obtaining the operation request, acquires the request sending policy, and sends the operation request data packet to the authorized electronic signature token 204 according to the request sending policy, where the operation request data packet is generated according to the request sending policy and the operation request. And sending the signature data packet and the operation request data packet to the background system server 202;
  • the authorization electronic signature token 204 prompts the operation request data packet, receives the confirmation command, and signs the operation request data packet according to the confirmation instruction, obtains the signature data packet, and transmits the signature data packet to the second terminal 203.
  • the first terminal 201 can generate an operation request by:
  • the first terminal 201 obtains the identity identification information and the authorization password, and generates an operation request according to the identity identification information, the authorization password, and the operation content.
  • the authorization password is a dynamic password or a static password.
  • the background system server verifies the legality of the operation request as follows:
  • the background system server 202 After obtaining the operation request, the background system server 202 verifies the correctness of the authorization password according to the identity identification information. If the verification authorization password is correct, the verification operation request is legal.
  • the first terminal 201 obtains the identity identification information and the signature information, where the signature information is obtained by signing the operation content, and generating an operation request according to the identity identification information, the signature information, and the operation content;
  • the background system server verifies the legality of the operation request as follows:
  • the background system server 202 After obtaining the operation request, the background system server 202 verifies the correctness of the signature information according to the identity identification information and the operation content. If the verification signature information is correct, the verification operation request is legal.
  • the second terminal 203 can send the operation request data packet to the authorized electronic signature token 204 by:
  • Manner 1 The second terminal 203 acquires the forwarding policy, and sends the operation request as an operation request packet to the authorized electronic signature token 204.
  • Manner 2 After obtaining the operation request, the second terminal 203 acquires the processing and sends the policy, processes the operation request according to the processing and sending policy, generates an operation request data packet, and sends the operation request data packet to the authorized electronic device according to the processing and sending policy. Signing token 204.
  • the background system server 202 can perform the operation request by: Performing a transfer operation according to the transfer request information;
  • the sending operation is performed according to the acquisition request.
  • the processing system using the operation request of the present invention can be approved in an electronic form, and is convenient to use while ensuring the security and non-repudiation of the approval.
  • each device may perform related operations by a respective CPU or chip, each device may divide different operations performed by different modules, or may complete all operations by one module, as long as The solution of the present invention achieves the object of the present invention, and the effects of the present invention are all within the scope of protection of the present invention.
  • Any process or method description in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code that includes one or more executable instructions for implementing the steps of a particular logical function or process.
  • the scope of the preferred embodiments of the invention includes additional implementations, in which the functions may be performed in a substantially simultaneous manner or in an opposite order depending on the functions involved, in the order shown or discussed. It will be understood by those skilled in the art to which the embodiments of the present invention pertain.
  • portions of the invention may be implemented in hardware, software, firmware or a combination thereof.
  • multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system.
  • a suitable instruction execution system For example, if implemented in hardware, as in another embodiment, it can be implemented with any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
  • each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules, if implemented in the form of software functional modules and sold or used as separate products, may also be stored in a computer readable storage medium.
  • the above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the description of the terms “one embodiment”, “some embodiments”, “example”, “specific example”, or “some examples” and the like means a specific feature described in connection with the embodiment or example.
  • a structure, material or feature is included in at least one embodiment or example of the invention.
  • the schematic representation of the above terms does not necessarily mean the same embodiment or example.
  • the particular features, structures, materials, or characteristics described may be combined in a suitable manner in any one or more embodiments or examples.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Provided are an operation request processing method and system. The method comprises the following steps: a first terminal (201) generating an operation request and sending the operation request to a background system server (202); after verifying that the operation request is legal, the background system server (202) sending the operation request to a second terminal (203); the second terminal (203) sending an operation request data packet to an authorized electronic signature token (204), the authorized electronic signature token (204) prompting the operation request data packet, receiving an acknowledge instruction, and performing signature, so as to obtain a signature data packet; the authorized electronic signature token (204) sending the signature data packet to the second terminal (203); the second terminal (203) sending the signature data packet and the operation request data packet to the background system server (202); and after the verification of the signature data packet passes, the background system server (202) executing the operation request according to the operation request data packet.

Description

操作请求的处理方法及系统 技术领域  Processing method and system for operation request
本发明涉及电子技术领域, 尤其涉及一种操作请求的处理方法及系统。 背景技术  The present invention relates to the field of electronic technologies, and in particular, to a method and system for processing an operation request. Background technique
目前, 随着网络的发展, 无论是电子商务还是网上银行, 均通过网络这一手段实现各 自的业务, 很好的满足了人民对购物和银行业务的需求, 方便使用。  At present, with the development of the network, both e-commerce and online banking have realized their own business through the network, which satisfies the people's demand for shopping and banking services and is convenient to use.
然而, 企业在执行电子商务或者网上银行时, 可以由企业的领导授权给员工执行相关 操作; 个人也可以授权给代理人执行相关操作。 但是现有授权是通过企业领导审批后签字 授权或者个人办理相关授权手续授权给代理人执行相关操作, 此时, 无论是企业还是个人 均必须在场才可以授权, 否则需要等待授权人在场才可以授权, 容易导致贻误商机, 极大 的不方便管理和授权。 发明内容  However, when an enterprise performs e-commerce or online banking, the leader of the enterprise may authorize the employee to perform related operations; the individual may also authorize the agent to perform related operations. However, the existing authorization is authorized by the enterprise leader to sign the authorization or the individual to handle the relevant authorization procedures to authorize the agent to perform related operations. At this time, both the enterprise and the individual must be present to be authorized, otherwise it is necessary to wait for the authorized person to be present to authorize. , easy to lead to business opportunities, great inconvenience management and authorization. Summary of the invention
本发明旨在解决现有的授权方案不方便的问题。  The present invention aims to solve the problem of inconvenience of the existing authorization scheme.
本发明的主要目的在于提供一种操作请求的处理方法;  The main object of the present invention is to provide a processing method for an operation request;
本发明的另一目的在于提供一种操作请求的处理系统。  Another object of the present invention is to provide a processing system for an operation request.
为达到上述目的, 本发明的技术方案具体是这样实现的:  In order to achieve the above object, the technical solution of the present invention is specifically implemented as follows:
本发明一方面提供了一种操作请求的处理方法, 包括: 第一终端获取操作内容; 所述 第一终端获取操作请求生成策略, 并根据所述操作请求生成策略以及所述操作内容生成操 作请求; 所述第一终端将所述操作请求发送至所述后台系统服务器; 所述后台系统服务器 在获得所述操作请求后, 验证所述操作请求的合法性; 所述后台系统服务器在验证所述操 作请求合法后, 将所述操作请求发送至第二终端; 所述第二终端在获得所述操作请求后, 获取请求发送策略,并根据所述请求发送策略将操作请求数据包发送至授权电子签名令牌, 其中, 所述操作请求数据包是根据所述请求发送策略以及所述操作请求生成的; 所述授权 电子签名令牌对所述操作请求数据包进行提示; 所述授权电子签名令牌接收确认指令, 并 根据所述确认指令对所述操作请求数据包进行签名, 获得签名数据包; 所述授权电子签名 令牌将所述签名数据包发送至所述第二终端; 所述第二终端将所述签名数据包以及所述操 作请求数据包发送至后台系统服务器; 所述后台系统服务器对所述签名数据包进行验证; 所述后台系统服务器在验证所述签名数据包通过后, 根据所述操作请求数据包执行所述操 作请求。 An aspect of the present invention provides a processing method for an operation request, including: acquiring, by a first terminal, operation content; acquiring, by the first terminal, an operation request generation policy, and generating an operation request according to the operation request and the operation content generation operation request The first terminal sends the operation request to the background system server; the background system server verifies the legality of the operation request after obtaining the operation request; the background system server is verifying the After the operation request is legal, the operation request is sent to the second terminal; after obtaining the operation request, the second terminal acquires a request sending policy, and sends an operation request data packet to the authorized electronic according to the request sending policy. a signature token, where the operation request data packet is generated according to the request sending policy and the operation request; the authorized electronic signature token prompts the operation request data packet; the authorized electronic signature order Receiving a confirmation command, and requesting data for the operation according to the confirmation instruction The packet is signed to obtain a signature data packet; the authorized electronic signature token sends the signature data packet to the second terminal; the second terminal sends the signature data packet and the operation request data packet to a background system server; the background system server verifies the signature data packet; After the background system server verifies that the signature data packet is passed, the background system server executes the operation request according to the operation request data packet.
此外, 所述第一终端获取操作请求生成策略, 并根据所述操作请求生成策略以及所述 操作内容生成操作请求的步骤包括: 所述第一终端获取身份标识信息以及授权密码; 所述 第一终端根据所述身份标识信息、 所述授权密码以及所述操作内容生成所述操作请求; 所 述后台系统服务器在获得所述操作请求后, 验证所述操作请求的合法性的步骤包括: 所述 后台系统服务器在获得所述操作请求后, 根据所述身份标识信息验证所述授权密码的正确 性, 如果验证所述授权密码正确, 则验证所述操作请求合法。  In addition, the step of acquiring the operation request generation policy by the first terminal, and generating the operation request and the operation content generation operation request according to the operation request include: the first terminal acquiring the identity identification information and the authorization password; The terminal generates the operation request according to the identity identification information, the authorization password, and the operation content; the step of the background system server verifying the legality of the operation request after obtaining the operation request includes: After obtaining the operation request, the background system server verifies the correctness of the authorization password according to the identity identification information. If the authorization password is verified to be correct, the operation request is verified to be legal.
此外, 所述授权密码为动态密码或者静态密码。  In addition, the authorization password is a dynamic password or a static password.
此外, 所述第一终端获取操作请求生成策略, 并根据所述操作请求生成策略以及所述 操作内容生成操作请求的步骤包括: 所述第一终端获取身份标识信息以及签名信息, 其中, 所述签名信息是对所述操作内容进行签名获得的; 所述第一终端根据所述身份标识信息、 所述签名信息以及所述操作内容生成所述操作请求; 所述后台系统服务器在获得所述操作 请求后, 验证所述操作请求的合法性的步骤包括: 所述后台系统服务器在获得所述操作请 求后, 根据所述身份标识信息以及所述操作内容验证所述签名信息的正确性, 如果验证所 述签名信息正确, 则验证所述操作请求合法。  In addition, the step of acquiring the operation request generation policy by the first terminal, and generating the operation request and the operation content generation operation request according to the operation request, the first terminal acquiring the identity identification information and the signature information, where The signature information is obtained by signing the operation content; the first terminal generates the operation request according to the identity identification information, the signature information, and the operation content; the background system server obtains the operation After the request, the step of verifying the legality of the operation request includes: after the obtaining the operation request, the background system server verifies the correctness of the signature information according to the identity identification information and the operation content, if the verification If the signature information is correct, the operation request is verified to be legal.
此外, 所述第二终端在获得所述操作请求后, 获取请求发送策略, 并根据所述请求发 送策略将操作请求数据包发送至授权电子签名令牌的步骤包括: 所述第二终端在获得所述 操作请求后, 获取转发策略; 所述第二终端将所述操作请求作为操作请求数据包发送至授 权电子签名令牌。  In addition, after the obtaining, by the second terminal, the request sending policy, and sending the operation request data packet to the authorized electronic signature token according to the request sending policy, the second terminal is: After the operation request, the forwarding policy is obtained; the second terminal sends the operation request as an operation request data packet to the authorized electronic signature token.
此外, 所述第二终端在获得所述操作请求后, 获取请求发送策略, 并根据所述请求发 送策略将操作请求数据包发送至授权电子签名令牌的步骤包括: 所述第二终端在获得所述 操作请求后, 获取处理并发送策略; 所述第二终端根据所述处理并发送策略对所述操作请 求进行处理生成操作请求数据包, 并根据所述处理并发送策略将所述操作请求数据包发送 至授权电子签名令牌。  In addition, after the obtaining, by the second terminal, the request sending policy, and sending the operation request data packet to the authorized electronic signature token according to the request sending policy, the second terminal is: After the operation request, acquiring a process and transmitting a policy; the second terminal processing the operation request according to the processing and sending policy to generate an operation request data packet, and sending the operation request according to the processing and sending a policy The packet is sent to the authorized electronic signature token.
此外, 所述操作内容包括: 转账请求信息、 物流请求信息、 访问请求信息或者获取请 求 息  In addition, the operation content includes: transfer request information, logistics request information, access request information, or acquisition request information
此外, 所述后台系统服务器在验证所述签名数据包通过后, 根据所述操作请求数据包 执行所述操作请求的步骤包括: 所述后台系统服务器在验证所述签名数据包通过后, 根据 所述转账请求信息执行转账操作; 所述后台系统服务器在验证所述签名数据包通过后, 根 据所述物流请求信息执行物流操作; 所述后台系统服务器在验证所述签名数据包通过后, 根据所述访问请求信息执行访问权限设置操作; 或者所述后台系统服务器在验证所述签名 数据包通过后, 根据所述获取请求执行发送操作。 In addition, after the background system server verifies that the signature data packet is passed, the step of performing the operation request according to the operation request data packet includes: after the background system server verifies that the signature data packet is passed, according to the Transmitting the request information to perform a transfer operation; after verifying that the signed data packet is passed, the background system server performs a logistics operation according to the logistics request information; after the background system server verifies that the signature data packet is passed, Performing an access permission setting operation according to the access request information; or the background system server performs a sending operation according to the obtaining request after verifying that the signed data packet passes.
本发明另一方面提供了一种操作请求的处理系统, 包括: 第一终端、 后台系统服务器、 第二终端以及授权电子签名令牌; 其中, 所述第一终端获取操作内容, 获取操作请求生成 策略, 并根据所述操作请求生成策略以及所述操作内容生成操作请求, 将所述操作请求发 送至所述后台系统服务器; 所述后台系统服务器在获得所述操作请求后, 验证所述操作请 求的合法性, 在验证所述操作请求合法后, 将所述操作请求发送至所述第二终端, 对签名 数据包进行验证, 在验证所述签名数据包通过后, 根据所述操作请求数据包执行所述操作 请求; 所述第二终端在获得所述操作请求后, 获取请求发送策略, 并根据所述请求发送策 略将操作请求数据包发送至所述授权电子签名令牌, 其中, 所述操作请求数据包是根据所 述请求发送策略以及所述操作请求生成的, 并将所述签名数据包以及所述操作请求数据包 发送至所述后台系统服务器; 所述授权电子签名令牌对所述操作请求数据包进行提示, 接 收确认指令, 并根据所述确认指令对所述操作请求数据包进行签名, 获得签名数据包, 将 所述签名数据包发送至所述第二终端。  Another aspect of the present invention provides a processing system for operating an operation, including: a first terminal, a background system server, a second terminal, and an authorized electronic signature token; wherein the first terminal acquires an operation content, and acquires an operation request to generate a policy, and according to the operation request generation policy and the operation content generation operation request, sending the operation request to the background system server; after the background system server obtains the operation request, verifying the operation request Legitimate, after verifying that the operation request is legal, sending the operation request to the second terminal, verifying the signature data packet, and after verifying that the signature data packet passes, requesting the data packet according to the operation After the operation request is obtained, the second terminal acquires a request sending policy, and sends an operation request data packet to the authorized electronic signature token according to the request sending policy, where An operation request packet is a policy according to the request and the operation And generating, by the request, the signature data packet and the operation request data packet to the background system server; the authorized electronic signature token prompting the operation request data packet, receiving the confirmation instruction, and receiving the confirmation instruction The confirmation command signs the operation request data packet, obtains a signature data packet, and transmits the signature data packet to the second terminal.
此外, 所述第一终端获取身份标识信息以及授权密码, 根据所述身份标识信息、 所述 授权密码以及所述操作内容生成所述操作请求; 所述后台系统服务器在获得所述操作请求 后, 根据所述身份标识信息验证所述授权密码的正确性, 如果验证所述授权密码正确, 则 验证所述操作请求合法。  In addition, the first terminal acquires the identity identification information and the authorization password, and generates the operation request according to the identity identification information, the authorization password, and the operation content; after the background system server obtains the operation request, And verifying the correctness of the authorization password according to the identity identification information, and if the authorization password is verified to be correct, verifying that the operation request is legal.
此外, 所述授权密码为动态密码或者静态密码。  In addition, the authorization password is a dynamic password or a static password.
此外, 所述第一终端获取身份标识信息以及签名信息, 其中, 所述签名信息是对所述 操作内容进行签名获得的, 根据所述身份标识信息、 所述签名信息以及所述操作内容生成 所述操作请求; 所述后台系统服务器在获得所述操作请求后, 根据所述身份标识信息以及 所述操作内容验证所述签名信息的正确性, 如果验证所述签名信息正确, 则验证所述操作 请求合法。  In addition, the first terminal acquires the identity identification information and the signature information, where the signature information is obtained by signing the operation content, and generating, according to the identity identification information, the signature information, and the operation content. After the operation request is obtained, the background system server verifies the correctness of the signature information according to the identity identification information and the operation content, and if the signature information is verified to be correct, the operation is verified. The request is legal.
此外, 所述第二终端在获得所述操作请求后, 获取转发策略, 将所述操作请求作为操 作请求数据包发送至授权电子签名令牌。  In addition, after obtaining the operation request, the second terminal acquires a forwarding policy, and sends the operation request as an operation request data packet to the authorized electronic signature token.
此外, 所述第二终端在获得所述操作请求后, 获取处理并发送策略, 根据所述处理并 发送策略对所述操作请求进行处理生成操作请求数据包, 并根据所述处理并发送策略将所 述操作请求数据包发送至授权电子签名令牌。  In addition, after obtaining the operation request, the second terminal acquires a process and sends a policy, and processes the operation request according to the processing and sending policy to generate an operation request data packet, and according to the processing and sending the policy, The operation request packet is sent to an authorized electronic signature token.
此外, 所述操作内容包括: 转账请求信息、 物流请求信息、 访问请求信息或者获取请 求 息 此外, 所述后台系统服务器在验证所述签名数据包通过后, 根据所述转账请求信息执 行转账操作; 所述后台系统服务器在验证所述签名数据包通过后, 根据所述物流请求信息 执行物流操作; 所述后台系统服务器在验证所述签名数据包通过后, 根据所述访问请求信 息执行访问权限设置操作; 或者所述后台系统服务器在验证所述签名数据包通过后, 根据 所述获取请求执行发送操作。 由上述本发明提供的技术方案可以看出, 由此可见, 采用了本发明的操作请求的处理 方法及系统, 可以以电子形式进行审批, 方便使用的同时还保证了审批的安全性和不可抵 赖性。 附图说明 In addition, the operation content includes: transfer request information, logistics request information, access request information, or acquisition request information In addition, after verifying that the signature data packet is passed, the background system server performs a transfer operation according to the transfer request information; after the background system server verifies that the signature data packet is passed, performs execution of the logistics according to the logistics request information. After the verification, the background system server performs an access permission setting operation according to the access request information after verifying that the signature data packet passes; or the background system server, after verifying that the signature data packet passes, according to the obtaining request Perform the send operation. As can be seen from the technical solution provided by the present invention, it can be seen that the processing method and system using the operation request of the present invention can be approved in an electronic form, which is convenient to use and ensures the security and non-repudiation of the approval. Sex. DRAWINGS
为了更清楚地说明本发明实施例的技术方案, 下面将对实施例描述中所需要使用的附 图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领 域的普通技术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得其他附 图。  In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those skilled in the art can also obtain other drawings based on these drawings without any creative work.
图 1为本发明提供的操作请求的处理方法的流程图;  1 is a flowchart of a method for processing an operation request provided by the present invention;
图 2为本发明提供的操作请求的处理系统的结构示意图。 具体实施方式  FIG. 2 is a schematic structural diagram of a processing system for an operation request provided by the present invention. detailed description
下面结合本发明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描 述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是全部的实施例。 基于本发 明的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例, 都属于本发明的保护范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
在本发明的描述中, 需要理解的是, 术语"中心"、 "纵向"、 "横向"、 "上"、 "下"、 "前"、 "后"、 "左"、 "右"、 "竖直"、 "水平"、 "顶"、 "底"、 "内"、 "外"等指示的方位或位置关系为 基于附图所示的方位或位置关系, 仅是为了便于描述本发明和简化描述, 而不是指示或暗 示所指的装置或元件必须具有特定的方位、 以特定的方位构造和操作, 因此不能理解为对 本发明的限制。 此外, 术语"第一"、 "第二 "仅用于描述目的, 而不能理解为指示或暗示相 对重要性或数量或位置。  In the description of the present invention, it is to be understood that the terms "center", "vertical", "transverse", "upper", "lower", "previous", "rear", "left", "right", " The orientation or positional relationship of the indications of "", "horizon", "top", "bottom", "inside", "outside", etc. is based on the orientation or positional relationship shown in the drawings, only for the convenience of describing the present invention and The simplification of the description is not intended to limit or imply that the device or elements referred to have a particular orientation, construction and operation in a particular orientation. Moreover, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.
在本发明的描述中,需要说明的是,除非另有明确的规定和限定,术语"安装"、"相连"、 "连接 "应做广义理解, 例如, 可以是固定连接, 也可以是可拆卸连接, 或一体地连接; 可 以是机械连接, 也可以是电连接; 可以是直接相连, 也可以通过中间媒介间接相连, 可以 是两个元件内部的连通。 对于本领域的普通技术人员而言, 可以具体情况理解上述术语在 本发明中的具体含义。 In the description of the present invention, it should be noted that the terms "installation", "connected", and "connected" are to be understood broadly, and may be fixed or detachable, for example, unless otherwise explicitly defined and defined. Connected, or connected in one piece; can be mechanical or electrical; can be directly connected or indirectly connected through an intermediate medium, It is the internal connection between the two components. The specific meanings of the above terms in the present invention can be understood in the specific circumstances by those skilled in the art.
下面将结合附图对本发明实施例作进一步地详细描述。 图 1 出示了本发明的操作请求的处理方法的流程图, 参见图 1, 本发明的操作请求的 处理方法包括:  The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings. FIG. 1 is a flowchart showing a processing method of an operation request according to the present invention. Referring to FIG. 1, the processing method of the operation request of the present invention includes:
步骤 S 101, 第一终端获取操作内容;  Step S101: The first terminal acquires an operation content.
具体的, 第一终端可以为员工采用的终端, 可以为代理人采用的终端, 或者为请求人 采用的终端; 以通过第一终端实现相应请求。  Specifically, the first terminal may be a terminal used by the employee, may be a terminal used by the agent, or a terminal used by the requester; to implement a corresponding request by using the first terminal.
第一终端可以为固定终端或者移动终端, 固定终端可以为: PC机、 ATM机或者 POS 机等, 移动终端可以为: 笔记本电脑、 平板电脑、 智能手机或者手持 POS机等。  The first terminal may be a fixed terminal or a mobile terminal, and the fixed terminal may be: a PC, an ATM, or a POS. The mobile terminal may be: a laptop, a tablet, a smart phone, or a handheld POS.
第一终端可以通过有线或者无线的方式连接后台系统服务器, 以实现相应请求。  The first terminal can connect to the background system server by wire or wirelessly to implement the corresponding request.
其中, 本发明的操作内容可以为如下任一种:  The operation content of the present invention may be any of the following:
转账请求信息, 例如: 请求银行的转账业务;  Transfer request information, for example: requesting bank transfer business;
物流请求信息, 例如: 请求领导批准物流发送的业务;  Logistics request information, for example: requesting the leader to approve the business sent by the logistics;
访问请求信息, 例如: 请求访问某个主机或者服务器的业务;  Access request information, for example: requesting access to a host or server's business;
获取请求信息; 例如: 请求从某个主机或者服务器获取权限进行文件下载, 或者请求 从某个主机或者服务器获取下载的加密信息的解密信息等。  Obtain the request information; for example: request to obtain permission from a host or server for file download, or request decryption information of downloaded encrypted information from a host or server.
当然, 本发明的操作内容还可以包括上述请求的详情信息等。  Of course, the operation content of the present invention may further include the detailed information of the above request and the like.
步骤 S 102, 第一终端获取操作请求生成策略, 并根据操作请求生成策略以及操作内容 生成操作请求;  Step S102: The first terminal acquires an operation request generation policy, and generates an operation request according to the operation request and an operation content generation operation request.
具体的, 操作请求生成策略可以包括根据如下内容任一种生成操作请求:  Specifically, the operation request generation policy may include generating an operation request according to any one of the following contents:
身份标识信息以及授权密码; 如果采用授权密码, 则简单易行; 当然, 授权密码为动 态密码或者静态密码, 动态密码可以采用动态口令牌生成的动态密码, 静态密码可以是预 先设置的。 采用动态密码, 安全性更高, 采用静态密码, 简单易行。 或者  Identity information and authorization password; if an authorization password is used, it is simple and easy; of course, the authorization password is a dynamic password or a static password, and the dynamic password can be a dynamic password generated by a dynamic port token, which can be set in advance. With dynamic passwords, security is higher, and static passwords are simple and easy to use. Or
或者身份标识信息以及签名信息; 该签名信息可以是用户持有的 key的私钥对操作内 容进行签名获取的, 如果采用签名信息, 则提高安全性并防止抵赖。  Or the identity information and the signature information; the signature information may be obtained by signing the operation content of the key of the key held by the user, and if the signature information is used, the security is improved and the repudiation is prevented.
当然, 本发明可以根据用户操作请求的复杂程度设置不同的级别以获得静态密码、 动 态密码或者签名信息, 以上安全级别逐级增加。 例如: 转账金额较小时可以选择获取静态 密码的方式; 转账金额较大时, 可以选择获取签名信息的方式。  Of course, the present invention can set different levels according to the complexity of the user operation request to obtain a static password, a dynamic password or signature information, and the above security level is increased step by step. For example: When the transfer amount is small, you can choose the method of obtaining the static password. When the transfer amount is large, you can choose the way to obtain the signature information.
如果第一终端获取身份标识信息以及授权密码, 那么, 第一终端根据身份标识信息、 授权密码以及操作内容生成操作请求。 第一终端可以将身份标识信息、 授权密码以及操作 内容组合生成操作请求, 也可以对授权密码进行计算后, 将身份标识信息、 计算后的授权 密码以及操作内容组合成操作请求等。 对授权密码进行计算可以是计算授权密码的 MAC 值或者计算授权密码的 HASH值, 可以是对计算出的 MAC值或者 HASH值截取部分值。 对授权密码进行计算, 可以保证授权密码传输的安全性, 防止授权密码被获取。 第一终端 还可以直接对身份标识信息、 授权密码以及操作内容加密生成操作请求, 加密传输提高安 全性。 If the first terminal obtains the identity identification information and the authorization password, the first terminal according to the identity identification information, The authorization password and the operation content generate an operation request. The first terminal may combine the identity identification information, the authorization password, and the operation content to generate an operation request, and may also combine the identity identification information, the calculated authorization password, and the operation content into an operation request after calculating the authorization password. The calculation of the authorization password may be a calculation of the MAC value of the authorization password or a calculation of the HASH value of the authorization password, and may be a partial value of the calculated MAC value or HASH value. The calculation of the authorization password ensures the security of the authorized password transmission and prevents the authorization password from being obtained. The first terminal may also directly generate an operation request for encrypting the identity information, the authorization password, and the operation content, and the encrypted transmission improves security.
如果第一终端获取身份标识信息以及签名信息, 其中, 签名信息是对操作内容进行签 名获得的, 那么, 第一终端根据身份标识信息、 签名信息以及操作内容生成操作请求。 第 一终端可以将身份标识信息、 签名信息以及操作内容组合生成操作请求等, 或者第一终端 对身份标识信息、 签名信息以及操作内容加密生成操作请求, 加密传输提高安全性。  If the first terminal obtains the identity information and the signature information, wherein the signature information is obtained by signing the operation content, the first terminal generates an operation request according to the identity identification information, the signature information, and the operation content. The first terminal may combine the identity information, the signature information, and the operation content to generate an operation request, or the first terminal encrypts the identity identification information, the signature information, and the operation content to generate an operation request, and the encrypted transmission improves security.
步骤 S103, 第一终端将操作请求发送至后台系统服务器;  Step S103, the first terminal sends an operation request to the background system server;
步骤 S104, 后台系统服务器在获得操作请求后, 验证操作请求的合法性;  Step S104: After obtaining the operation request, the background system server verifies the legality of the operation request.
如果第一终端获取身份标识信息以及授权密码, 根据身份标识信息、 授权密码以及操 作内容生成操作请求, 那么后台系统服务器在获得操作请求后, 根据身份标识信息验证授 权密码的正确性, 如果验证授权密码正确, 则验证操作请求合法。  If the first terminal obtains the identity information and the authorization password, and generates an operation request according to the identity identification information, the authorization password, and the operation content, the background system server verifies the correctness of the authorization password according to the identity identification information after obtaining the operation request, if the authorization is verified If the password is correct, the verification operation request is legal.
如果操作请求是加密信息或者包含加密信息, 则后台系统服务器对其加密信息进行解 密后验证。  If the operation request is encrypted information or contains encrypted information, the background system server decrypts the encrypted information and then verifies it.
当授权密码为静态密码时, 该静态密码可以预存在后台系统服务器中, 与身份标识信 息存在对应关系, 后台系统服务器根据身份标识信息查找预存的静态密码。 如果第一终端 对静态密码计算 MAC值或者 HASH值, 则后台系统服务器在验证时也采用相同的方式计 算查找到的静态密码的 MAC值或者 HASH值, 从而进行验证。  When the authorization password is a static password, the static password may be pre-stored in the background system server, and has a correspondence relationship with the identity identification information, and the background system server searches for the pre-stored static password according to the identity identification information. If the first terminal calculates the MAC value or the HASH value for the static password, the background system server also uses the same method to calculate the MAC value or HASH value of the found static password in the same manner for verification.
当授权密码为动态密码时, 后台系统服务器可以采用与生成该动态密码的动态口令牌 相同的方式生成校验密码, 从而比对生成的校验密码与接收到的动态密码是否一致。 后台 系统服务器生成校验密码的方式与身份标识信息存在对应关系, 后台系统服务器根据身份 标识信息查找生成校验密码的方式并生成校验密码, 如果第一终端对动态密码计算 MAC 值或者 HASH 值, 则后台系统服务器在验证时也采用相同的方式计算生成的动态密码的 MAC值或者 HASH值。  When the authorization password is a dynamic password, the background system server can generate the verification password in the same manner as the dynamic port token that generates the dynamic password, so that the generated verification password is consistent with the received dynamic password. The backend system server generates a check password in a manner corresponding to the identity identifier information, and the background system server searches for a check password according to the identity identifier information and generates a check password. If the first terminal calculates a MAC value or a HASH value for the dynamic password. Then, the background system server calculates the MAC value or HASH value of the generated dynamic password in the same manner in the verification.
如果第一终端获取身份标识信息以及签名信息, 其中, 签名信息是对操作内容进行签 名获得的, 并根据身份标识信息、 签名信息以及操作内容生成操作请求, 那么后台系统服 务器在获得操作请求后, 根据身份标识信息以及操作内容验证签名信息的正确性, 如果验 证签名信息正确, 则验证操作请求合法。 例如: 后台系统服务器预存有用户持有的 key的 公钥, 该公钥与身份标识信息存在对应关系, 后台系统服务器根据身份标识信息查找公钥, 根据查找到的公钥以及接收到的操作内容对签名信息进行验签, 验签通过则验证操作请求 合法。 If the first terminal obtains the identity identification information and the signature information, wherein the signature information is obtained by signing the operation content, and generating an operation request according to the identity identification information, the signature information, and the operation content, the background system server obtains the operation request, Verify the correctness of the signature information based on the identity information and the operation content. If the signature information is correct, the verification operation request is legal. For example: The background system server pre-stores the public key of the key held by the user, and the public key has a correspondence relationship with the identity identification information, and the background system server searches for the public key according to the identity identification information, according to the found public key and the received operation content. The signature information is checked, and the verification request is valid.
只有后台系统服务器验证操作请求合法后才可以执行后续操作, 保证操作请求的真实 性、 合法性, 以及后续操作的安全性。  Only after the background system server verifies that the operation request is legal, the subsequent operations can be performed to ensure the authenticity, legality, and security of the subsequent operations.
步骤 S 105, 后台系统服务器在验证操作请求合法后, 将操作请求发送至第二终端; 具体的, 第二终端可以为领导采用的终端, 可以为授权人采用的终端, 或者为审批人 采用的终端; 以通过第二终端实现相应的授权操作。  Step S105: After the verification operation request is legal, the background system server sends the operation request to the second terminal. Specifically, the second terminal may be a terminal used by the leader, may be a terminal used by the authorized person, or used by the approver. a terminal; to implement a corresponding authorization operation by using the second terminal.
第二终端可以为固定终端或者移动终端, 固定终端可以为: PC机、 ATM机或者 POS 机等, 移动终端可以为: 笔记本电脑、 平板电脑、 智能手机或者手持 POS机等。  The second terminal may be a fixed terminal or a mobile terminal. The fixed terminal may be: a PC, an ATM, or a POS. The mobile terminal may be: a laptop, a tablet, a smart phone, or a handheld POS.
第二终端可以通过有线或者无线的方式连接后台系统服务器, 以实现相应的授权操作。 步骤 S 106, 第二终端在获得操作请求后, 获取请求发送策略, 并根据请求发送策略将 操作请求数据包发送至授权电子签名令牌, 其中, 操作请求数据包是根据请求发送策略以 及操作请求生成的;  The second terminal can connect to the background system server by wire or wirelessly to implement a corresponding authorization operation. Step S106: After obtaining the operation request, the second terminal acquires the request sending policy, and sends the operation request data packet to the authorized electronic signature token according to the request sending policy, where the operation request data packet is sent according to the request and the operation request. Generated;
具体的, 第二终端在获得操作请求后, 可以直接对操作请求进行转发, 可以对操作请 求进行处理后再发送; 如果直接转发, 操作简单方便, 如果对操作请求进行处理后再发送, 可以提高增加操作内容, 方便使用。  Specifically, after obtaining the operation request, the second terminal may directly forward the operation request, and may process the operation request and then send the message; if directly forwarding, the operation is simple and convenient, and if the operation request is processed and then sent, the second terminal may be improved. Increase the content of the operation, easy to use.
第二终端在获得操作请求后, 直接对操作请求进行转发可以采用如下方式: 第二终端获取转发策略, 将操作请求作为操作请求数据包发送至授权电子签名令牌。 第二终端在获得操作请求后, 对操作请求进行处理后再发送可以采用如下方式: 第二终端获取处理并发送策略, 根据处理并发送策略对操作请求进行处理生成操作请 求数据包, 并根据处理并发送策略将操作请求数据包发送至授权电子签名令牌。  After obtaining the operation request, the second terminal directly forwards the operation request in the following manner: The second terminal acquires the forwarding policy, and sends the operation request as an operation request data packet to the authorized electronic signature token. After obtaining the operation request, the second terminal may process the operation request and then send the following: The second terminal acquires the processing and sends the policy, and processes the operation request according to the processing and sending policy to generate an operation request data packet, and according to the processing And send a policy to send the operation request packet to the authorized electronic signature token.
该处理可以为在请求访问某个主机或者服务器的业务时, 增加权限设置等任意操作。 通过对操作请求进行处理, 可以增加与操作请求相关的其他操作, 提高安全性。  This processing can be any operation such as adding a permission setting when requesting access to a host or server. By processing the operation request, other operations related to the operation request can be added to improve security.
步骤 S 107, 授权电子签名令牌对操作请求数据包进行提示;  Step S107, authorizing the electronic signature token to prompt the operation request data packet;
具体的, 授权电子签名令牌为领导使用、 授权人使用或者审批人使用的 key, 可以为 USB key、蓝牙 key、红外 key、 NFC key、音频 key等任意可以与第二终端匹配连接的 key, 该授权电子签名令牌接收到操作请求数据包后,对操作请求数据包进行显示或者语音提示, 或者提取操作请求数据包中的关键信息进行显示或者语音提示, 以提示使用人知晓操作请 求为何种操作请求, 从而判断该操作请求是否可以被批准。 步骤 S 108, 授权电子签名令牌接收确认指令, 并根据确认指令对操作请求数据包进行 签名, 获得签名数据包; Specifically, the authorized electronic signature token is a key used by the leader, the authorized person, or the approver, and may be a key that can be matched with the second terminal, such as a USB key, a Bluetooth key, an infrared key, an NFC key, an audio key, and the like. After receiving the operation request data packet, the authorized electronic signature token displays or voice prompts the operation request data packet, or extracts key information in the operation request data packet for display or voice prompt to prompt the user to know the operation request. The request is manipulated to determine if the operational request can be approved. Step S108, the authorized electronic signature token receives the confirmation instruction, and signs the operation request data packet according to the confirmation instruction to obtain the signature data packet;
具体的, 如果授权电子签名令牌的使用人确认操作请求是真实的, 可以被批准的, 则 按下授权电子签名令牌上设置按键(例如 OK按键),以发送确认指令至授权电子签名令牌, 授权电子签名令牌在接收到该确认指令后, 根据该授权电子签名令牌的私钥对操作请求数 据包进行签名, 获得签名数据包。  Specifically, if the user who authorizes the electronic signature token confirms that the operation request is authentic and can be approved, press the setting button on the authorized electronic signature token (for example, an OK button) to send a confirmation command to the authorized electronic signature order. After receiving the confirmation command, the authorized electronic signature token signs the operation request data packet according to the private key of the authorized electronic signature token to obtain a signature data packet.
通过授权电子签名令牌的使用人对操作请求数据包进行签名, 保证了审批的不可抵赖 性。  By authorizing the user of the electronic signature token to sign the operation request packet, the non-repudiation of the approval is guaranteed.
步骤 S 109, 授权电子签名令牌将签名数据包发送至第二终端;  Step S109, authorizing the electronic signature token to send the signature data packet to the second terminal;
步骤 S 110, 第二终端将签名数据包以及操作请求数据包发送至后台系统服务器; 步骤 S 111 , 后台系统服务器对签名数据包进行验证;  Step S110: The second terminal sends the signature data packet and the operation request data packet to the background system server. Step S111: The background system server verifies the signature data packet.
具体的, 后台系统服务器预存有授权电子签名令牌的公钥, 在后台系统服务器接收到 签名数据包以及操作请求数据包后, 可以根据身份标识信息查找到与授权电子签名令牌对 应的公钥, 在根据该公钥对签名数据包进行验证。  Specifically, the background system server prestores the public key of the authorized electronic signature token. After the background system server receives the signature data packet and the operation request data packet, the public key corresponding to the authorized electronic signature token may be found according to the identity identification information. , verifying the signature packet based on the public key.
步骤 S 112, 后台系统服务器在验证签名数据包通过后, 根据操作请求数据包执行操作 请求。  Step S112: After verifying that the signature data packet is passed, the background system server performs an operation request according to the operation request data packet.
此时, 只有后台系统服务器在验证签名数据包通过后, 才根据操作请求数据包执行操 作请求, 保证了操作请求的真实性和安全性。  At this time, only the background system server performs the operation request according to the operation request data packet after verifying that the signature data packet is passed, thereby ensuring the authenticity and security of the operation request.
当然, 根据操作内容的不同,  Of course, depending on the content of the operation,
后台系统服务器在验证签名数据包通过后, 可以执行如下不同的操作:  After the background system server verifies that the signature packet has passed, it can perform the following different operations:
根据转账请求信息执行转账操作;  Performing a transfer operation according to the transfer request information;
根据物流请求信息执行物流操作;  Performing logistics operations based on logistics request information;
根据访问请求信息执行访问权限设置操作; 或者  Perform an access permission setting operation based on the access request information; or
根据获取请求执行发送操作。  The sending operation is performed according to the acquisition request.
由此可见, 采用了本发明的操作请求的处理方法, 可以以电子形式进行审批, 方便使 用的同时还保证了审批的安全性和不可抵赖性。 图 2出示了操作请求的处理系统的结构示意图, 而本发明的操作请求的处理系统采用 上述的操作请求的处理方法, 在此不再一一说明, 仅对操作请求的处理系统的结构及其各 自的功能进行简单的说明, 参见图 2, 操作请求的处理系统包括: 第一终端 201、 后台系统 服务器 202、 第二终端 203以及授权电子签名令牌 204; 其中, 第一终端 201获取操作内容, 获取操作请求生成策略, 并根据操作请求生成策略以及 操作内容生成操作请求, 将操作请求发送至后台系统服务器 202; 其中, 操作内容可以包 括: 转账请求信息、 物流请求信息、 访问请求信息或者获取请求信息。 It can be seen that the processing method using the operation request of the present invention can be approved in an electronic form, which is convenient for use and ensures the security and non-repudiation of the approval. 2 is a schematic structural diagram of a processing system for operating an operation request, and the processing system of the operation request of the present invention adopts the processing method of the above operation request, which is not described herein, and only the structure of the processing system for the operation request and The respective functions are briefly described. Referring to FIG. 2, the processing system for the operation request includes: a first terminal 201, a background system server 202, a second terminal 203, and an authorized electronic signature token 204; The first terminal 201 obtains the operation content, acquires the operation request generation policy, and generates an operation request and an operation content generation operation request according to the operation request, and sends the operation request to the background system server 202. The operation content may include: the transfer request information, the logistics request Information, access request information, or get request information.
后台系统服务器 202在获得操作请求后, 验证操作请求的合法性, 在验证操作请求合 法后, 将操作请求发送至第二终端 203, 对签名数据包进行验证, 在验证签名数据包通过 后, 根据操作请求数据包执行操作请求;  After obtaining the operation request, the background system server 202 verifies the legality of the operation request. After the verification operation request is legal, the operation request is sent to the second terminal 203 to verify the signature data packet, after verifying that the signature data packet is passed, according to the verification The operation request packet performs an operation request;
第二终端 203在获得操作请求后, 获取请求发送策略, 并根据请求发送策略将操作请 求数据包发送至授权电子签名令牌 204, 其中, 操作请求数据包是根据请求发送策略以及 操作请求生成的, 并将签名数据包以及操作请求数据包发送至后台系统服务器 202;  After obtaining the operation request, the second terminal 203 acquires the request sending policy, and sends the operation request data packet to the authorized electronic signature token 204 according to the request sending policy, where the operation request data packet is generated according to the request sending policy and the operation request. And sending the signature data packet and the operation request data packet to the background system server 202;
授权电子签名令牌 204对操作请求数据包进行提示, 接收确认指令, 并根据确认指令 对操作请求数据包进行签名, 获得签名数据包, 将签名数据包发送至第二终端 203。  The authorization electronic signature token 204 prompts the operation request data packet, receives the confirmation command, and signs the operation request data packet according to the confirmation instruction, obtains the signature data packet, and transmits the signature data packet to the second terminal 203.
另外, 第一终端 201可以通过如下方式生成操作请求:  In addition, the first terminal 201 can generate an operation request by:
方式一: 第一终端 201获取身份标识信息以及授权密码, 根据身份标识信息、 授权密 码以及操作内容生成操作请求; 其中, 授权密码为动态密码或者静态密码。  Manner 1: The first terminal 201 obtains the identity identification information and the authorization password, and generates an operation request according to the identity identification information, the authorization password, and the operation content. The authorization password is a dynamic password or a static password.
此时, 后台系统服务器通过如下方式验证操作请求的合法性:  At this point, the background system server verifies the legality of the operation request as follows:
后台系统服务器 202在获得操作请求后, 根据身份标识信息验证授权密码的正确性, 如果验证授权密码正确, 则验证操作请求合法。  After obtaining the operation request, the background system server 202 verifies the correctness of the authorization password according to the identity identification information. If the verification authorization password is correct, the verification operation request is legal.
方式二: 第一终端 201获取身份标识信息以及签名信息, 其中, 签名信息是对操作内 容进行签名获得的, 根据身份标识信息、 签名信息以及操作内容生成操作请求;  Manner 2: The first terminal 201 obtains the identity identification information and the signature information, where the signature information is obtained by signing the operation content, and generating an operation request according to the identity identification information, the signature information, and the operation content;
此时, 后台系统服务器通过如下方式验证操作请求的合法性:  At this point, the background system server verifies the legality of the operation request as follows:
后台系统服务器 202在获得操作请求后, 根据身份标识信息以及操作内容验证签名信 息的正确性, 如果验证签名信息正确, 则验证操作请求合法。  After obtaining the operation request, the background system server 202 verifies the correctness of the signature information according to the identity identification information and the operation content. If the verification signature information is correct, the verification operation request is legal.
当然, 第二终端 203在获得操作请求后, 可以通过如下方式将操作请求数据包发送至 授权电子签名令牌 204:  Of course, after obtaining the operation request, the second terminal 203 can send the operation request data packet to the authorized electronic signature token 204 by:
方式一: 第二终端 203获取转发策略, 将操作请求作为操作请求数据包发送至授权电 子签名令牌 204。  Manner 1: The second terminal 203 acquires the forwarding policy, and sends the operation request as an operation request packet to the authorized electronic signature token 204.
方式二: 第二终端 203在获得操作请求后, 获取处理并发送策略, 根据处理并发送策 略对操作请求进行处理生成操作请求数据包, 并根据处理并发送策略将操作请求数据包发 送至授权电子签名令牌 204。  Manner 2: After obtaining the operation request, the second terminal 203 acquires the processing and sends the policy, processes the operation request according to the processing and sending policy, generates an operation request data packet, and sends the operation request data packet to the authorized electronic device according to the processing and sending policy. Signing token 204.
此外, 后台系统服务器 202在验证签名数据包通过后, 可以通过如下方式执行操作请 求: 根据转账请求信息执行转账操作; In addition, after verifying that the signature data packet is passed, the background system server 202 can perform the operation request by: Performing a transfer operation according to the transfer request information;
根据物流请求信息执行物流操作;  Performing logistics operations based on logistics request information;
根据访问请求信息执行访问权限设置操作; 或者  Perform an access permission setting operation based on the access request information; or
根据获取请求执行发送操作。  The sending operation is performed according to the acquisition request.
由此可见, 采用了本发明的操作请求的处理系统, 可以以电子形式进行审批, 方便使 用的同时还保证了审批的安全性和不可抵赖性。  It can be seen that the processing system using the operation request of the present invention can be approved in an electronic form, and is convenient to use while ensuring the security and non-repudiation of the approval.
当然, 本发明的操作请求的处理系统中, 每个装置可以由各自的 CPU或者芯片执行相 关操作, 各个装置可以划分不同的模块完成的不同操作, 也可以由一个模块完成全部的操 作, 只要采用了本发明的方案, 实现了本发明的目的, 达到了本发明的效果均应属于本发 明的保护范围。 流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为, 表示包括一个 或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、 片段或部分, 并且本发明的优选实施方式的范围包括另外的实现, 其中可以不按所示出或讨论的顺序, 包括根据所涉及的功能按基本同时的方式或按相反的顺序, 来执行功能, 这应被本发明的 实施例所属技术领域的技术人员所理解。  Of course, in the processing system of the operation request of the present invention, each device may perform related operations by a respective CPU or chip, each device may divide different operations performed by different modules, or may complete all operations by one module, as long as The solution of the present invention achieves the object of the present invention, and the effects of the present invention are all within the scope of protection of the present invention. Any process or method description in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code that includes one or more executable instructions for implementing the steps of a particular logical function or process. And the scope of the preferred embodiments of the invention includes additional implementations, in which the functions may be performed in a substantially simultaneous manner or in an opposite order depending on the functions involved, in the order shown or discussed. It will be understood by those skilled in the art to which the embodiments of the present invention pertain.
应当理解, 本发明的各部分可以用硬件、 软件、 固件或它们的组合来实现。 在上述实 施方式中, 多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或 固件来实现。 例如, 如果用硬件来实现, 和在另一实施方式中一样, 可用本领域公知的下 列技术中的任一项或他们的组合来实现: 具有用于对数据信号实现逻辑功能的逻辑门电路 的离散逻辑电路, 具有合适的组合逻辑门电路的专用集成电路, 可编程门阵列 (PGA), 现 场可编程门阵列 (FPGA) 等。  It should be understood that portions of the invention may be implemented in hardware, software, firmware or a combination thereof. In the above-described embodiments, multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented with any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可 以通过程序来指令相关的硬件完成, 所述的程序可以存储于一种计算机可读存储介质中, 该程序在执行时, 包括方法实施例的步骤之一或其组合。  One of ordinary skill in the art can understand that all or part of the steps carried by the method of implementing the above embodiments can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, one or a combination of the steps of the method embodiments is included.
此外, 在本发明各个实施例中的各功能单元可以集成在一个处理模块中, 也可以是各 个单元单独物理存在, 也可以两个或两个以上单元集成在一个模块中。 上述集成的模块既 可以采用硬件的形式实现, 也可以采用软件功能模块的形式实现。 所述集成的模块如果以 软件功能模块的形式实现并作为独立的产品销售或使用时, 也可以存储在一个计算机可读 取存储介质中。  In addition, each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as separate products, may also be stored in a computer readable storage medium.
上述提到的存储介质可以是只读存储器, 磁盘或光盘等。 在本说明书的描述中, 参考术语"一个实施例"、 "一些实施例"、 "示例"、 "具体示例"、 或"一些示例"等的描述意指结合该实施例或示例描述的具体特征、 结构、 材料或者特点包 含于本发明的至少一个实施例或示例中。 在本说明书中, 对上述术语的示意性表述不一定 指的是相同的实施例或示例。 而且, 描述的具体特征、 结构、 材料或者特点可以在任何的 一个或多个实施例或示例中以合适的方式结合。 尽管上面已经示出和描述了本发明的实施例, 可以理解的是, 上述实施例是示例性的, 不能理解为对本发明的限制, 本领域的普通技术人员在不脱离本发明的原理和宗旨的情况 下在本发明的范围内可以对上述实施例进行变化、 修改、 替换和变型。 本发明的范围由所 附权利要求及其等同限定。 The above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like. In the description of the present specification, the description of the terms "one embodiment", "some embodiments", "example", "specific example", or "some examples" and the like means a specific feature described in connection with the embodiment or example. A structure, material or feature is included in at least one embodiment or example of the invention. In the present specification, the schematic representation of the above terms does not necessarily mean the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in a suitable manner in any one or more embodiments or examples. Although the embodiments of the present invention have been shown and described, it is understood that the foregoing embodiments are illustrative and not restrictive Variations, modifications, alterations and variations of the above-described embodiments are possible within the scope of the invention. The scope of the invention is defined by the appended claims and their equivalents.

Claims

权利要求书 claims
1、 一种操作请求的处理方法, 其特征在于, 包括: 1. A method for processing operation requests, which is characterized by including:
第一终端获取操作内容; The first terminal obtains the operation content;
所述第一终端获取操作请求生成策略, 并根据所述操作请求生成策略以及所述操作内 容生成操作请求; The first terminal obtains an operation request generation strategy and generates an operation request according to the operation request generation strategy and the operation content;
所述第一终端将所述操作请求发送至所述后台系统服务器; The first terminal sends the operation request to the backend system server;
所述后台系统服务器在获得所述操作请求后, 验证所述操作请求的合法性; 所述后台系统服务器在验证所述操作请求合法后, 将所述操作请求发送至第二终端; 所述第二终端在获得所述操作请求后, 获取请求发送策略, 并根据所述请求发送策略 将操作请求数据包发送至授权电子签名令牌, 其中, 所述操作请求数据包是根据所述请求 发送策略以及所述操作请求生成的; After obtaining the operation request, the back-end system server verifies the legality of the operation request; after verifying that the operation request is legal, the back-end system server sends the operation request to the second terminal; After obtaining the operation request, the second terminal obtains the request sending policy, and sends the operation request data packet to the authorized electronic signature token according to the request sending policy, wherein the operation request data packet is sent according to the request sending policy and generated by the operation request;
所述授权电子签名令牌对所述操作请求数据包进行提示; The authorized electronic signature token prompts the operation request data packet;
所述授权电子签名令牌接收确认指令, 并根据所述确认指令对所述操作请求数据包进 行签名, 获得签名数据包; The authorized electronic signature token receives a confirmation instruction, and signs the operation request data packet according to the confirmation instruction to obtain a signed data packet;
所述授权电子签名令牌将所述签名数据包发送至所述第二终端; The authorized electronic signature token sends the signed data packet to the second terminal;
所述第二终端将所述签名数据包以及所述操作请求数据包发送至后台系统服务器; 所述后台系统服务器对所述签名数据包进行验证; The second terminal sends the signature data packet and the operation request data packet to a backend system server; the backend system server verifies the signature data packet;
所述后台系统服务器在验证所述签名数据包通过后, 根据所述操作请求数据包执行所 述操作请求。 After verifying that the signature data packet passes, the backend system server executes the operation request according to the operation request data packet.
2、 根据权利要求 1所述的方法, 其特征在于, 2. The method according to claim 1, characterized in that,
所述第一终端获取操作请求生成策略, 并根据所述操作请求生成策略以及所述操作内 容生成操作请求的步骤包括: The steps of the first terminal obtaining an operation request generation strategy and generating an operation request according to the operation request generation strategy and the operation content include:
所述第一终端获取身份标识信息以及授权密码; The first terminal obtains identity identification information and authorization password;
所述第一终端根据所述身份标识信息、 所述授权密码以及所述操作内容生成所述操作 请求; The first terminal generates the operation request based on the identity identification information, the authorization password and the operation content;
所述后台系统服务器在获得所述操作请求后,验证所述操作请求的合法性的步骤包括: 所述后台系统服务器在获得所述操作请求后, 根据所述身份标识信息验证所述授权密 码的正确性, 如果验证所述授权密码正确, 则验证所述操作请求合法。 After the back-end system server obtains the operation request, the step of verifying the legality of the operation request includes: after the back-end system server obtains the operation request, verify the authorization password according to the identity identification information. Correctness, if the authorization password is verified to be correct, the operation request is verified to be legal.
3、根据权利要求 2所述的方法,其特征在于,所述授权密码为动态密码或者静态密码。 3. The method according to claim 2, characterized in that the authorization password is a dynamic password or a static password.
4、 根据权利要求 1所述的方法, 其特征在于, 4. The method according to claim 1, characterized in that,
所述第一终端获取操作请求生成策略, 并根据所述操作请求生成策略以及所述操作内 容生成操作请求的步骤包括: The steps of the first terminal obtaining an operation request generation strategy and generating an operation request according to the operation request generation strategy and the operation content include:
所述第一终端获取身份标识信息以及签名信息, 其中, 所述签名信息是对所述操作内 容进行签名获得的; The first terminal obtains identity identification information and signature information, wherein the signature information is obtained by signing the operation content;
所述第一终端根据所述身份标识信息、 所述签名信息以及所述操作内容生成所述操作 请求; The first terminal generates the operation request based on the identity identification information, the signature information and the operation content;
所述后台系统服务器在获得所述操作请求后,验证所述操作请求的合法性的步骤包括: 所述后台系统服务器在获得所述操作请求后, 根据所述身份标识信息以及所述操作内 容验证所述签名信息的正确性, 如果验证所述签名信息正确, 则验证所述操作请求合法。 After the back-end system server obtains the operation request, the step of verifying the legality of the operation request includes: after the back-end system server obtains the operation request, verify based on the identity identification information and the operation content The correctness of the signature information. If the signature information is verified to be correct, the operation request is verified to be legal.
5、 根据权利要求 1至 4任一项所述的方法, 其特征在于, 所述第二终端在获得所述操 作请求后, 获取请求发送策略, 并根据所述请求发送策略将操作请求数据包发送至授权电 子签名令牌的步骤包括: 5. The method according to any one of claims 1 to 4, characterized in that, after obtaining the operation request, the second terminal obtains a request sending policy, and sends the operation request data packet according to the request sending policy. The steps to send an authorized electronic signature token include:
所述第二终端在获得所述操作请求后, 获取转发策略; After obtaining the operation request, the second terminal obtains the forwarding policy;
所述第二终端将所述操作请求作为操作请求数据包发送至授权电子签名令牌。 The second terminal sends the operation request as an operation request data packet to the authorized electronic signature token.
6、 根据权利要求 1至 4任一项所述的方法, 其特征在于, 所述第二终端在获得所述操 作请求后, 获取请求发送策略, 并根据所述请求发送策略将操作请求数据包发送至授权电 子签名令牌的步骤包括: 6. The method according to any one of claims 1 to 4, characterized in that, after obtaining the operation request, the second terminal obtains the request sending policy, and sends the operation request data packet according to the request sending policy. The steps to send an authorized electronic signature token include:
所述第二终端在获得所述操作请求后, 获取处理并发送策略; After obtaining the operation request, the second terminal obtains processing and sends a policy;
所述第二终端根据所述处理并发送策略对所述操作请求进行处理生成操作请求数据 包, 并根据所述处理并发送策略将所述操作请求数据包发送至授权电子签名令牌。 The second terminal processes the operation request according to the processing and sending policy to generate an operation request data packet, and sends the operation request data packet to the authorized electronic signature token according to the processing and sending policy.
7、 根据权利要求 1至 6任一项所述的方法, 其特征在于, 所述操作内容包括: 转账请求信息、 物流请求信息、 访问请求信息或者获取请求信息。 7. The method according to any one of claims 1 to 6, characterized in that the operation content includes: transfer request information, logistics request information, access request information or acquisition request information.
8、 根据权利要求 7所述的方法, 其特征在于, 所述后台系统服务器在验证所述签名数 据包通过后, 根据所述操作请求数据包执行所述操作请求的步骤包括: 8. The method according to claim 7, characterized in that, after the back-end system server verifies that the signature data packet passes, the step of executing the operation request according to the operation request data packet includes:
所述后台系统服务器在验证所述签名数据包通过后, 根据所述转账请求信息执行转账 操作; After verifying that the signature data packet passes, the backend system server performs a transfer operation based on the transfer request information;
所述后台系统服务器在验证所述签名数据包通过后, 根据所述物流请求信息执行物流 操作; After verifying that the signature data packet passes, the backend system server performs logistics operations based on the logistics request information;
所述后台系统服务器在验证所述签名数据包通过后, 根据所述访问请求信息执行访问 权限设置操作; 或者 所述后台系统服务器在验证所述签名数据包通过后,根据所述获取请求执行发送操作。 After verifying that the signed data packet passes, the backend system server performs an access permission setting operation based on the access request information; or After verifying that the signature data packet passes, the backend system server performs a sending operation according to the acquisition request.
9、 一种操作请求的处理系统, 其特征在于, 包括: 第一终端、 后台系统服务器、 第二 终端以及授权电子签名令牌; 其中, 9. An operation request processing system, characterized by including: a first terminal, a backend system server, a second terminal and an authorized electronic signature token; wherein,
所述第一终端获取操作内容, 获取操作请求生成策略, 并根据所述操作请求生成策略 以及所述操作内容生成操作请求, 将所述操作请求发送至所述后台系统服务器; The first terminal obtains the operation content, obtains the operation request generation strategy, generates an operation request according to the operation request generation strategy and the operation content, and sends the operation request to the backend system server;
所述后台系统服务器在获得所述操作请求后, 验证所述操作请求的合法性, 在验证所 述操作请求合法后, 将所述操作请求发送至所述第二终端, 对签名数据包进行验证, 在验 证所述签名数据包通过后, 根据所述操作请求数据包执行所述操作请求; After obtaining the operation request, the backend system server verifies the legality of the operation request. After verifying that the operation request is legal, the backend system server sends the operation request to the second terminal to verify the signature data packet. , after verifying that the signature data packet passes, execute the operation request according to the operation request data packet;
所述第二终端在获得所述操作请求后, 获取请求发送策略, 并根据所述请求发送策略 将操作请求数据包发送至所述授权电子签名令牌, 其中, 所述操作请求数据包是根据所述 请求发送策略以及所述操作请求生成的, 并将所述签名数据包以及所述操作请求数据包发 送至所述后台系统服务器; After obtaining the operation request, the second terminal obtains the request sending policy, and sends the operation request data packet to the authorized electronic signature token according to the request sending policy, wherein the operation request data packet is sent according to the request sending policy. The request sending policy and the operation request are generated, and the signature data packet and the operation request data packet are sent to the backend system server;
所述授权电子签名令牌对所述操作请求数据包进行提示, 接收确认指令, 并根据所述 确认指令对所述操作请求数据包进行签名, 获得签名数据包, 将所述签名数据包发送至所 述第二终端。 The authorized electronic signature token prompts the operation request data packet, receives a confirmation instruction, signs the operation request data packet according to the confirmation instruction, obtains the signature data packet, and sends the signature data packet to the second terminal.
10、 根据权利要求 9所述的系统, 其特征在于, 10. The system according to claim 9, characterized in that,
所述第一终端获取身份标识信息以及授权密码, 根据所述身份标识信息、 所述授权密 码以及所述操作内容生成所述操作请求; The first terminal obtains the identity identification information and the authorization password, and generates the operation request based on the identity identification information, the authorization password and the operation content;
所述后台系统服务器在获得所述操作请求后, 根据所述身份标识信息验证所述授权密 码的正确性, 如果验证所述授权密码正确, 则验证所述操作请求合法。 After obtaining the operation request, the backend system server verifies the correctness of the authorization password based on the identity identification information. If the authorization password is verified to be correct, the operation request is verified to be legal.
11、 根据权利要求 10所述的系统, 其特征在于, 所述授权密码为动态密码或者静态密 码。 11. The system according to claim 10, characterized in that the authorization password is a dynamic password or a static password.
12、 根据权利要求 9所述的系统, 其特征在于, 12. The system according to claim 9, characterized in that,
所述第一终端获取身份标识信息以及签名信息, 其中, 所述签名信息是对所述操作内 容进行签名获得的, 根据所述身份标识信息、 所述签名信息以及所述操作内容生成所述操 作请求; The first terminal acquires identity identification information and signature information, wherein the signature information is obtained by signing the operation content, and the operation is generated based on the identity identification information, the signature information and the operation content. ask;
所述后台系统服务器在获得所述操作请求后, 根据所述身份标识信息以及所述操作内 容验证所述签名信息的正确性, 如果验证所述签名信息正确, 则验证所述操作请求合法。 After obtaining the operation request, the backend system server verifies the correctness of the signature information based on the identity identification information and the operation content. If the signature information is verified to be correct, the operation request is verified to be legal.
13、 根据权利要求 9至 12任一项所述的系统, 其特征在于, 所述第二终端在获得所述 操作请求后, 获取转发策略, 将所述操作请求作为操作请求数据包发送至授权电子签名令 牌。 13. The system according to any one of claims 9 to 12, characterized in that, after obtaining the operation request, the second terminal obtains the forwarding policy and sends the operation request as an operation request data packet to the authorized Electronic signature token.
14、 根据权利要求 9至 12任一项所述的系统, 其特征在于, 所述第二终端在获得所述 操作请求后, 获取处理并发送策略, 根据所述处理并发送策略对所述操作请求进行处理生 成操作请求数据包, 并根据所述处理并发送策略将所述操作请求数据包发送至授权电子签 名令牌。 14. The system according to any one of claims 9 to 12, characterized in that, after obtaining the operation request, the second terminal obtains a processing and sending policy, and performs processing on the operation according to the processing and sending policy. The request is processed to generate an operation request data packet, and the operation request data packet is sent to the authorized electronic signature token according to the processing and sending policy.
15、 根据权利要求 9至 14任一项所述的系统, 其特征在于, 所述操作内容包括: 转账请求信息、 物流请求信息、 访问请求信息或者获取请求信息。 15. The system according to any one of claims 9 to 14, characterized in that the operation content includes: transfer request information, logistics request information, access request information or acquisition request information.
16、 根据权利要求 15所述的系统, 其特征在于, 16. The system according to claim 15, characterized in that,
所述后台系统服务器在验证所述签名数据包通过后, 根据所述转账请求信息执行转账 操作; After verifying that the signature data packet passes, the backend system server performs a transfer operation based on the transfer request information;
所述后台系统服务器在验证所述签名数据包通过后, 根据所述物流请求信息执行物流 操作; After verifying that the signature data packet passes, the backend system server performs logistics operations based on the logistics request information;
所述后台系统服务器在验证所述签名数据包通过后, 根据所述访问请求信息执行访问 权限设置操作; 或者 After verifying that the signature data packet passes, the backend system server performs an access permission setting operation based on the access request information; or
所述后台系统服务器在验证所述签名数据包通过后,根据所述获取请求执行发送操作。 After verifying that the signature data packet passes, the backend system server performs a sending operation according to the acquisition request.
PCT/CN2014/076443 2013-07-12 2014-04-29 Operation request processing method and system WO2015003521A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310294089.2A CN103401844B (en) 2013-07-12 2013-07-12 The processing method of operation requests and system
CN201310294089.2 2013-07-12

Publications (1)

Publication Number Publication Date
WO2015003521A1 true WO2015003521A1 (en) 2015-01-15

Family

ID=49565370

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/076443 WO2015003521A1 (en) 2013-07-12 2014-04-29 Operation request processing method and system

Country Status (2)

Country Link
CN (1) CN103401844B (en)
WO (1) WO2015003521A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111784124A (en) * 2020-06-12 2020-10-16 中信银行股份有限公司 Task processing method, device and equipment and computer readable storage medium

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401844B (en) * 2013-07-12 2016-09-14 天地融科技股份有限公司 The processing method of operation requests and system
CN103701782A (en) * 2013-12-16 2014-04-02 天地融科技股份有限公司 Data transmission method and system
CN103944726B (en) * 2014-04-25 2018-05-29 天地融科技股份有限公司 Operation requests processing system
CN105656850B (en) * 2014-11-13 2020-08-14 腾讯数码(深圳)有限公司 Data processing method, related device and system
CN105827405A (en) * 2015-01-05 2016-08-03 中国移动通信集团陕西有限公司 Remotely-controlled safety lock device and remote control method thereof
CN104811309B (en) * 2015-03-24 2018-07-17 天地融科技股份有限公司 A kind of long-range method and system using intelligent cipher key equipment
CN106506496A (en) * 2016-10-27 2017-03-15 宇龙计算机通信科技(深圳)有限公司 A kind of methods, devices and systems that withdraws the money without card
CN108268303A (en) * 2017-01-03 2018-07-10 北京润信恒达科技有限公司 A kind of operation requests method, apparatus and system
CN109474924A (en) * 2017-09-07 2019-03-15 中兴通讯股份有限公司 A kind of restoration methods, device, computer equipment and the storage medium of lock network file
CN110278083B (en) * 2018-03-16 2021-11-30 腾讯科技(深圳)有限公司 Identity authentication request processing method and device, and equipment resetting method and device
CN108763892A (en) * 2018-04-18 2018-11-06 Oppo广东移动通信有限公司 Right management method, device, mobile terminal and storage medium
CN108763884B (en) * 2018-04-18 2022-01-11 Oppo广东移动通信有限公司 Authority management method, device, mobile terminal and storage medium
CN108600218B (en) * 2018-04-23 2020-12-29 捷德(中国)科技有限公司 Remote authorization system and remote authorization method
CN112184150A (en) * 2020-09-17 2021-01-05 杭州安恒信息技术股份有限公司 Multi-party approval method, device and system in data sharing exchange and electronic device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102496125A (en) * 2011-12-21 2012-06-13 成都英黎科技有限公司 Transferring method and system based on mobile terminal
CN102737313A (en) * 2012-05-25 2012-10-17 天地融科技股份有限公司 Method and system for authorizing verification on electronic signature tools and electronic signature tools
CN102870132A (en) * 2009-12-15 2013-01-09 艾菲尼迪公司 Systems, apparatus, and methods for identity verification and funds transfer via payment proxy system
CN103077460A (en) * 2012-10-31 2013-05-01 中华电信股份有限公司 System and method for financial certificate transaction by mobile device
CN103401844A (en) * 2013-07-12 2013-11-20 天地融科技股份有限公司 Operation request processing method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4474845B2 (en) * 2002-06-12 2010-06-09 株式会社日立製作所 Authentication infrastructure system with CRL issue notification function
CN102724647B (en) * 2012-06-06 2014-08-13 电子科技大学 Method and system for access capability authorization

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102870132A (en) * 2009-12-15 2013-01-09 艾菲尼迪公司 Systems, apparatus, and methods for identity verification and funds transfer via payment proxy system
CN102496125A (en) * 2011-12-21 2012-06-13 成都英黎科技有限公司 Transferring method and system based on mobile terminal
CN102737313A (en) * 2012-05-25 2012-10-17 天地融科技股份有限公司 Method and system for authorizing verification on electronic signature tools and electronic signature tools
CN103077460A (en) * 2012-10-31 2013-05-01 中华电信股份有限公司 System and method for financial certificate transaction by mobile device
CN103401844A (en) * 2013-07-12 2013-11-20 天地融科技股份有限公司 Operation request processing method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111784124A (en) * 2020-06-12 2020-10-16 中信银行股份有限公司 Task processing method, device and equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN103401844B (en) 2016-09-14
CN103401844A (en) 2013-11-20

Similar Documents

Publication Publication Date Title
WO2015003521A1 (en) Operation request processing method and system
TWI719190B (en) Offline payment method and device
TWI792284B (en) Methods for validating online access to secure device functionality
TWI667585B (en) Method and device for safety authentication based on biological characteristics
KR101666374B1 (en) Method, apparatus and computer program for issuing user certificate and verifying user
US9521548B2 (en) Secure registration of a mobile device for use with a session
EP2556624B1 (en) Credential provision and proof system
US10630488B2 (en) Method and apparatus for managing application identifier
JP2018532301A (en) User authentication method and apparatus
US20130311382A1 (en) Obtaining information for a payment transaction
US20140041000A1 (en) Enhanced 2chk authentication security with information conversion based on user-selected persona
US20130311768A1 (en) Secure authentication of a user using a mobile device
JP2017528963A (en) System and method for establishing trust using a secure transmission protocol
JP2016096547A (en) Method for non-repudiation, and payment managing server and user terminal therefor
TW201903637A (en) Query system, method and non-transitory machine-readable medium to determine authentication capabilities
CN105184557B (en) Payment authentication method and system
KR101702748B1 (en) Method, system and recording medium for user authentication using double encryption
WO2014187206A1 (en) Method and system for backing up private key in electronic signature token
WO2014201907A1 (en) Electronic signature method and system
WO2015161690A1 (en) Secure data interaction method and system
US10439809B2 (en) Method and apparatus for managing application identifier
WO2017000479A1 (en) Identity information authentication method, user terminal, service terminal, authentication server, and service system
WO2014187210A1 (en) Method and system for backing up private key of electronic signature token
TW201607285A (en) Method for verifying secruity data, system, and a computer-readable storage device
JP2018529137A (en) Method and apparatus for service authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14822989

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

REEP Request for entry into the european phase

Ref document number: 2014822989

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2014822989

Country of ref document: EP

122 Ep: pct application non-entry in european phase

Ref document number: 14822989

Country of ref document: EP

Kind code of ref document: A1