WO2018228199A1 - Procédé d'autorisation et dispositif associé - Google Patents

Procédé d'autorisation et dispositif associé Download PDF

Info

Publication number
WO2018228199A1
WO2018228199A1 PCT/CN2018/089039 CN2018089039W WO2018228199A1 WO 2018228199 A1 WO2018228199 A1 WO 2018228199A1 CN 2018089039 W CN2018089039 W CN 2018089039W WO 2018228199 A1 WO2018228199 A1 WO 2018228199A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
terminal device
signature information
information
temporary certificate
Prior art date
Application number
PCT/CN2018/089039
Other languages
English (en)
Chinese (zh)
Inventor
袁哲
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2018228199A1 publication Critical patent/WO2018228199A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the present application relates to the field of communications technologies, and in particular, to an authorization method and related devices.
  • the resource owner needs to be authorized, and the terminal device can access the resource under the authorization of the resource owner.
  • the terminal device when the terminal device accesses the resource, it first sends a request message to the resource owner, and the resource owner sends the authorization code to the terminal device.
  • the terminal device requests the access token from the authorization server through the authorization code, and authorizes the server to the terminal.
  • the device performs verification. After the verification, the access token is returned to the terminal device, and the terminal device accesses the resource on the resource owner through the access token.
  • the specific process is shown in FIG. 1 .
  • the resource owner's authorization process for the terminal device is real-time authorization, and the refined permission requirement cannot be defined for the terminal device.
  • the rights are divided into coarse-grained categories, which cannot satisfy the cloud.
  • the fine-grained rights management requirements of the service, and the use of the access token as a credential for accessing the resource after authorization, are less secure.
  • the embodiment of the present application provides an authorization method and related equipment.
  • the first aspect of the application provides an authorization method, including:
  • a second aspect of the present application provides an authorization method, including:
  • the terminal device sends the first temporary certificate to the server, where the first temporary certificate is used to request access to resources on the server, so that the server determines the target authority corresponding to the terminal device according to the first temporary certificate,
  • the target authority is a right to access a target resource on the server;
  • the server is a server on a cloud service provider side, and the terminal device is a server on a third party service provider side;
  • the terminal device accesses the target resource by using the second temporary certificate.
  • a third aspect of the present application provides a server, including:
  • a receiving unit configured to receive a first temporary certificate sent by the terminal device, where the first temporary certificate is used to request access to resources on the server;
  • a determining unit configured to determine, according to the first temporary certificate, a target right corresponding to the terminal device, where the target right is a right to access a target resource on the server;
  • a sending unit configured to send the second temporary certificate corresponding to the target authority to the terminal device, so that the terminal device accesses the target resource by using the second temporary certificate.
  • a fourth aspect of the present application provides a terminal device, including:
  • a sending unit configured to send the first temporary certificate to the server, where the first temporary certificate is used to request access to resources on the server, so that the server determines, according to the first temporary certificate, the terminal device a target authority, the target authority being a right to access a target resource on the server;
  • a receiving unit configured to receive a second temporary certificate corresponding to the target authority sent by the server
  • An access unit configured to access the target resource by using the second temporary certificate.
  • a fifth aspect of the present application provides a server, including:
  • One or more central processing units a memory, a bus system, and one or more programs, the central processing unit and the memory being coupled by the bus system;
  • the one or more programs are stored in the memory, the one or more programs comprising instructions that, when executed by the server, cause the server to perform the first aspect as provided by the present application The authorization method described.
  • a sixth aspect of the present application provides a terminal device, including:
  • processor units One or more processor units, memory units, bus systems, and one or more programs, the processor units and the memory units being coupled by the bus system;
  • the one or more programs are stored in the storage unit, the one or more programs including instructions that, when executed by the terminal device, cause the terminal device to perform the second aspect of the present application The authorization method described.
  • a seventh aspect of the present application provides a computer storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of the first aspect of the application.
  • a seventh aspect of the present application provides a computer storage medium comprising instructions which, when run on a computer, cause the computer to perform the method of the second aspect of the present application.
  • the embodiments of the present application have the following advantages:
  • the server may implement refinement authority management on the terminal device by using the second temporary certificate, that is, the terminal device has only access to the target right to the server, and ensures that the terminal device accesses the The security and flexibility of the server's target resources.
  • 1 is a schematic flow chart of steps of an authorization method
  • FIG. 2 is a schematic structural diagram of an embodiment of a structure of a cloud service system provided by the present application
  • FIG. 3 is a schematic structural diagram of an embodiment of a cloud service provider side server provided by the present application.
  • FIG. 4 is a schematic structural diagram of an embodiment of a terminal device provided by the present application.
  • FIG. 5 is a flow chart of steps of an embodiment of an authorization method provided by the present application.
  • FIG. 6 is a flow chart of steps of another embodiment of the authorization method provided by the present application.
  • FIG. 7 is a flow chart of steps of another embodiment of the authorization method provided by the present application.
  • FIG. 8 is a schematic diagram of creating a pre-selected permission provided by the present application.
  • FIG. 9 is a schematic structural diagram of another embodiment of a cloud service provider side server provided by the present application.
  • FIG. 10 is a schematic structural diagram of another embodiment of a terminal device provided by the present application.
  • FIG. 11 is a schematic diagram of an application scenario provided by the present application.
  • the embodiment of the present application provides an authorization method for performing refined rights management on a terminal device.
  • the server in the embodiment of the present application may be a cloud service provider side server, and may be other types of servers.
  • the specific application is not limited.
  • the following embodiment uses a cloud service provider side server as an example to implement the present application.
  • the authorization method and related equipment in the example are introduced.
  • the authorization method shown in this embodiment may be based on a cloud service system.
  • the structure of the cloud service system shown in this embodiment may be as shown in FIG. 2, where the cloud service system includes a cloud service provider side server 201.
  • the cloud service provider side server shown in this embodiment is a server on the service platform side of the cloud service provider.
  • the cloud service system shown in this embodiment further includes at least one terminal device 202.
  • This embodiment is exemplified by taking the number of the terminal devices 202 as one.
  • the terminal device 202 shown in this embodiment is a device on the third party service provider side.
  • the third-party service provider provides a cloud computing product-based service platform established by the cloud service provider, and provides software, service, website construction, and enterprise application service to the cloud service developer to help the user to better use the service platform.
  • Cloud computing products and services are examples of Cloud computing products and services.
  • the cloud service provider side server shown in this embodiment may be a resource owner (RO), or the cloud service provider side server may be a resource server (Resource Server), or the cloud service is provided.
  • the vendor side server can be an Authorization Server (AS).
  • the terminal device 202 can request authorization from the cloud service provider side server through the OAUTH protocol.
  • the configuration of the cloud service provider side server 201 is optionally described below with reference to FIG. 3 . Specifically, the description of the cloud service provider side server structure in this embodiment is an optional example. It is defined that the cloud service provider side server 201 can implement authorization of the terminal device 202 to enable the terminal device 202 to access resources on the cloud service provider side server 201 according to authorization.
  • the cloud service provider side server may vary considerably depending on configuration or performance, and may include one or more central processing units (CPU) 301 (eg, one or more processors) and memory 302, one or more storage media 305 that store application 303 or data 304 (eg, one or one storage device in Shanghai).
  • the memory 302 and the storage medium 305 may be short-term storage or persistent storage.
  • the program stored on storage medium 305 can include one or more modules (not shown), each of which can include a series of instruction operations in the server.
  • the central processing unit 301 can be configured to communicate with the storage medium 305 to perform a series of instruction operations in the storage medium 305 on the cloud service provider side server.
  • the cloud service provider side server may also include one or more power sources 306, one or more wired or wireless network interfaces 307, one or more input and output interfaces 308, and/or one or more operating systems 309, such as Windows. ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM and more.
  • terminal device 202 The specific structure of the terminal device 202 shown in this embodiment is exemplarily described below with reference to FIG.
  • the terminal device includes components such as an input unit 405, a processor unit 403, an output unit 401, a communication unit 407, a storage unit 404, a radio frequency circuit 408, and the like.
  • the structure of the terminal device shown in FIG. 4 does not constitute a limitation of the present application, and it may be a bus-shaped structure or a star-shaped structure, and may include more or more than the illustration. There are few parts, or some parts are combined, or different parts are arranged.
  • the terminal device may be any mobile or portable electronic device, including but not limited to a smart phone, a mobile computer, a tablet computer, a personal digital assistant (PDA), a media player, a smart TV. Wait.
  • a smart phone a mobile computer
  • a tablet computer a personal digital assistant (PDA)
  • PDA personal digital assistant
  • media player a smart TV. Wait.
  • the terminal device includes:
  • the output unit 401 is configured to output an image to be displayed.
  • the output unit 401 includes but is not limited to the image output unit 4011 and the sound output unit 4012.
  • the image output unit 4011 is configured to output text, pictures, and/or video.
  • the image output unit 4011 may include a display panel, for example, a liquid crystal display (English name: Liquid Crystal Display, English abbreviation: LCD), an organic light emitting diode (English name: Organic Light-Emitting Diode, English abbreviation: OLED), field emission A display panel configured in the form of a display (English name: field emission display, FED for short).
  • the image output unit 4011 may include a reflective display, such as an electrophoretic display, or a display using an Interferometric Modulation of Light.
  • the image output unit 4011 may include a single display or a plurality of displays of different sizes.
  • the touch screen can also serve as a display panel of the output unit 401 at the same time.
  • the touch screen detects a touch or proximity gesture operation thereon, it is transmitted to the processor unit 403 to determine the type of the touch event, and then the processor unit 403 provides a corresponding visual output on the display panel according to the type of the touch event.
  • the input unit 405 and the output unit 401 are two independent components to implement the input and output functions of the terminal device, in some embodiments, the touch device may be integrated with the display panel to implement the terminal device. Input and output functions.
  • the image output unit 4011 can display various graphical user interfaces (English full name: Graphical User Interface, English abbreviated as GUI) as virtual control components, including but not limited to windows, scroll axes, icons, and scrapbooks. For users to operate by touch.
  • GUI Graphical User Interface
  • the image output unit 4011 includes a filter and an amplifier for filtering and amplifying the video output by the processor unit 403.
  • the sound output unit 4012 includes a digital to analog converter for converting the audio signal output by the processor unit 403 from a digital format to an analog format.
  • the processor unit 403 is configured to run a corresponding code to process the received information to generate and output a corresponding interface.
  • the processor unit 403 is a control center of the terminal device, and connects various parts of the entire terminal device by using various interfaces and lines, by running or executing software programs and/or modules stored in the storage unit, and calling the storage. Data within the storage unit to perform various functions of the terminal device and/or process data.
  • the processor unit 403 may be composed of an integrated circuit (English name: Integrated Circuit, English abbreviation: IC), for example, may be composed of a single packaged IC, or may be connected to a plurality of package ICs having the same function or different functions. composition.
  • the processor unit 403 may include only a central processing unit (English name: Central Processing Unit, English abbreviation: CPU), or may be a graphics processor (English name: Graphics Processing Unit, English abbreviation: GPU).
  • CPU Central Processing Unit
  • GPU Graphics Processing Unit
  • DSP Digital Signal Processor
  • the CPU may be a single operation core, and may also include a multi-operation core.
  • the storage unit 404 is configured to store code and data, and the code is run by the processor unit 403.
  • the storage unit 404 can be used to store software programs and modules, and the processor unit 403 executes various functional applications of the terminal device and implements data processing by running software programs and modules stored in the storage unit 404.
  • the storage unit 404 mainly includes a program storage area and a data storage area, wherein the program storage area can store an operating system, an application required for at least one function, such as a sound playing program, an image playing program, and the like; and the data storage area can be stored according to the terminal. Data created by the use of the device (such as audio data, phone book, etc.).
  • the storage unit 404 may include a volatile memory, such as non-volatile dynamic random access memory (Nonvolatile Random Access Memory, NVRAM for short), phase change random access memory (English full name) :Phase Change RAM (PRAM), magnetoresistive random access memory (English full name: Magetoresistive RAM, English abbreviation MRAM), etc., may also include non-volatile memory, such as at least one disk storage device, electronically erasable Programmable read-only memory (English full name: Electrically Erasable Programmable Read-Only Memory, EEPROM for short), flash memory devices, such as reverse or flash memory (English full name: NOR flash memory) or reverse flash memory (English full name: NAND flash memory) .
  • non-volatile dynamic random access memory Nonvolatile Random Access Memory
  • PRAM Phase Change RAM
  • MRAM Magnetoresistive random access memory
  • EEPROM electrically Erasable Programmable Read-Only Memory
  • flash memory devices such as reverse or flash memory (English full name: NOR flash
  • the non-volatile memory stores an operating system and applications executed by the processor unit 403.
  • the processor unit 403 loads the running program and data from the non-volatile memory into the memory and stores the digital content in a plurality of storage devices.
  • the operating system includes various components and/or drivers for controlling and managing conventional system tasks such as memory management, storage device control, power management, and the like, as well as facilitating communication between various hardware and software.
  • the operating system may be an Android system of Google, an iOS system developed by Apple, a Windows operating system developed by Microsoft, or an embedded operating system such as Vxworks.
  • the application includes any application installed on the terminal device, including but not limited to browsers, emails, instant messaging services, word processing, keyboard virtualization, widgets, encryption, digital rights management, voice recognition, Voice copying, positioning (such as those provided by GPS), music playback, and more.
  • the input unit 405 is configured to implement interaction between the user and the terminal device and/or information input into the terminal device.
  • the input unit 405 can receive numeric or character information input by a user to generate a signal input related to user settings or function control.
  • the input unit 405 may be a touch screen, or may be other human-computer interaction interfaces, such as physical input keys, microphones, etc., and may also be other external information capture devices, such as cameras.
  • the touch screen shown in the embodiment of the present application can collect an operation action touched or approached by the user.
  • the user uses an action of any suitable object or accessory such as a finger, a stylus, or the like on the touch screen or near the touch screen, and drives the corresponding connecting device according to a preset program.
  • the touch screen may include two parts: a touch detection device and a touch controller. Wherein the touch detection device detects a touch operation of the user, converts the detected touch operation into an electrical signal, and transmits the electrical signal to the touch controller; the touch controller receives the electrical signal from the touch detection device, and It is converted into contact coordinates and sent to the processor unit 403.
  • the touch controller can also receive commands from the processor unit 403 and execute them.
  • the touch screen can implement touch screens by using various types such as resistive, capacitive, infrared, and surface acoustic waves.
  • the physical input keys used by the input unit 405 may include, but are not limited to, a physical keyboard, function keys (such as a volume control button, a switch button, etc.), a trackball, a mouse, a joystick, and the like.
  • a physical keyboard such as a keyboard, function keys (such as a volume control button, a switch button, etc.), a trackball, a mouse, a joystick, and the like.
  • function keys such as a volume control button, a switch button, etc.
  • the input unit 405 in the form of a microphone can collect the voice input by the user or the environment and convert it into a command executable by the processor unit 403 in the form of an electrical signal.
  • the input unit 405 may also be various types of sensor components, such as Hall devices, for detecting physical quantities of the terminal device, such as force, moment, pressure, stress, position, displacement, Speed, acceleration, angle, angular velocity, number of revolutions, speed, and time when the operating state changes, etc., are converted into electricity for detection and control.
  • sensor components may also include gravity sensors, three-axis accelerometers, gyroscopes, electronic compasses, ambient light sensors, proximity sensors, temperature sensors, humidity sensors, pressure sensors, heart rate sensors, fingerprint readers, and the like.
  • the communication unit 407 is configured to establish a communication channel, enable the terminal device to connect to the remote server through the communication channel, and download media data from the remote server.
  • the communication unit 407 may include a wireless local area network (English name: Wireless Local Area Network, English short: wireless LAN) module, a Bluetooth module, a baseband module, and the like, and a radio frequency corresponding to the communication module (English name: Radio Frequency, English abbreviation: RF) circuit for wireless local area network communication, Bluetooth communication, infrared communication and/or cellular communication system communication, such as broadband code division multiple access (English full name: Wideband Code Division Multiple Access, English abbreviation: W -CDMA) and/or high speed downlink packet access (English full name: High Speed Downlink Packet Access, English abbreviation HSDPA).
  • the communication module is used to control communication of components in the terminal device and can support direct memory access.
  • various communication modules in the communication unit 407 generally appear in the form of an integrated circuit chip (English name: Integrated Circuit Chip), and can be selectively combined without including all communication modules. And the corresponding antenna group.
  • the communication unit 407 can include only a baseband chip, a radio frequency chip, and a corresponding antenna to provide communication functionality in a cellular communication system.
  • the wireless communication connection established via the communication unit 407 such as wireless local area network access or WCDMA access, may be connected to a cellular network (English name: Cellular Network) or the Internet.
  • a communication module, such as a baseband module, in the communication unit 407 can be integrated into the processor unit 403, typically an APQ+MDM series platform such as that provided by Qualcomm.
  • the radio frequency circuit 408 is used for receiving and transmitting signals during information transmission and reception or during a call. For example, after the downlink information of the base station is received, it is processed by the processor unit 403; in addition, the data for designing the uplink is transmitted to the base station.
  • the radio frequency circuit 408 includes well-known circuits for performing these functions, including but not limited to an antenna system, a radio frequency transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, A Codec chipset, a Subscriber Identity Module (SIM) card, a memory, and the like.
  • radio frequency circuitry 408 can also communicate with the network and other devices via wireless communication.
  • the wireless communication may use any communication standard or protocol, including but not limited to a global mobile communication system (English full name: Global System of Mobile communication, English abbreviation: GSM), general packet radio service (English full name: General Packet Radio Service, English abbreviation: GPRS), code division multiple access (English full name: Code Division Multiple Access, English abbreviation: CDMA), wideband code division multiple access (English full name: Wideband Code Division Multiple Access, English abbreviation: WCDMA), high-speed uplink chain Road packet access technology (English full name: High Speed Uplink Packet Access, English abbreviation: HSUPA), long-term evolution (English full name: Long Term Evolution, English abbreviation: LTE), e-mail, short message service (English full name: Short Messaging Service , English abbreviation: SMS) and so on.
  • GSM Global System of Mobile communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • HSUPA High Speed Up
  • a power source 409 is provided to power different components of the terminal device to maintain its operation.
  • the power source 409 may be a built-in battery, such as a conventional lithium ion battery, a nickel hydride battery, etc., and also includes an external power source that directly supplies power to the terminal device, such as an AC adapter.
  • the power supply 409 can also be more widely defined, for example, can also include a power management system, a charging system, a power failure detection circuit, a power converter or inverter, and a power status indicator. (such as light-emitting diodes), and any other components associated with the power generation, management, and distribution of the terminal equipment.
  • Step 501 The cloud service provider side server receives the first temporary certificate sent by the terminal device.
  • the first temporary certificate is used to request access to resources on the cloud service provider side server
  • the user may log in to the target website of the terminal device, where the target The website is a website for obtaining the authorization of the cloud service provider side server, and the website is enabled to enable the terminal device to send the first temporary certificate to the cloud service provider side server.
  • the terminal device may send the first temporary certificate to the cloud service provider side server.
  • Step 502 The cloud service provider side server determines, according to the first temporary certificate, a target authority corresponding to the terminal device.
  • the target authority is a right to access a target resource on the cloud service provider side server.
  • Step 503 The cloud service provider side server sends a second temporary certificate corresponding to the terminal device to the terminal device.
  • the second temporary certificate shown in this embodiment is a short-term certificate.
  • the effective time of the second temporary certificate can be configured from a few minutes to a few hours. Once the credentials of the second temporary certificate expire, the cloud service provider side server will no longer identify the second temporary certificate, thereby making the terminal device no longer able to access the cloud service provider through the second temporary certificate. The target resource on the side server.
  • the specific execution process of the authorization method performed by the cloud service provider side server shown in this embodiment is shown in the embodiment shown in FIG. 7 .
  • Step 601 The terminal device sends the first temporary certificate to the cloud service provider side server.
  • Step 602 The terminal device receives a second temporary certificate sent by the cloud service provider side server.
  • Step 603 The terminal device accesses the target resource on the cloud service provider side server by using the second temporary certificate.
  • the authorization method includes:
  • Step 701 The terminal device sends the request information to the cloud service provider side server.
  • the request information shown in this embodiment includes first token information that has been stored by the terminal device.
  • the first token information is used by the terminal device to perform authentication to the cloud service provider side server.
  • the type of the first token information may be multiple.
  • the type of the first token information is not limited in this embodiment.
  • the terminal device shown in this embodiment requests authentication from the cloud service provider side server by using the first token information, so that the cloud service provider side server can determine the location based on the first token information. Whether the terminal device is forged, whether it is unauthorized, whether it expires, etc.
  • the terminal device shown in this embodiment may store the uniform resource locator URL address of the cloud service provider side server, and the terminal device shown in this embodiment may be located according to the unified resource location.
  • the URL address is sent to the cloud service provider side server to send the request information.
  • the terminal device shown in this embodiment may send the request information to a website for authenticating the terminal device on the cloud service provider side server according to the URL address.
  • Step 702 The cloud service provider side server receives the request information sent by the terminal device.
  • Step 703 The cloud service provider side server generates fourth signature information.
  • the cloud service provider side server shown in this embodiment may identify the first key, the first token information, and the cloud service provider side.
  • the random reply information (echoInfo) generated by the server performs encryption calculation to generate fourth signature information.
  • the cloud service provider side server shown in this embodiment generates the first key identifier, the first token information, and the cloud service provider side server according to the stored long-term key.
  • the random reply information is subjected to an encryption calculation to generate fourth signature information.
  • Step 704 The cloud service provider side server sends the fourth signature information to the terminal device.
  • Step 705 The terminal device determines whether the fourth signature information meets the first condition, and if yes, performs step 706.
  • the fourth signature information may be decrypted and calculated to obtain the first key identifier included in the fourth signature information, and the first a token information and random reply information generated by the cloud service provider side server.
  • the first condition shown in this embodiment is that the first token information included in the fourth signature information is the same as the first token information that is stored by the terminal device.
  • step 706 may continue to be performed.
  • Step 706 The terminal device sends the fifth signature information to the cloud service provider side server.
  • the terminal device shown in this embodiment sends the random reply information included in the fourth signature information to the cloud service provider side server.
  • the specific sending manner is that the terminal device performs encryption calculation on the received random reply information to generate the fifth signature information, that is, the fifth signature information generated by the terminal device includes the random reply message.
  • the terminal device shown in this embodiment may send the random reply information to the cloud service provider side server by using the fifth signature information.
  • the terminal device may invoke a target interface of the cloud service provider side server to implement data interaction between the terminal device and the cloud service provider side server.
  • the target interface of the cloud service provider side server may be an Application Programming Interface (API) of the Open Service Auhorization of the cloud service provider side server.
  • API Application Programming Interface
  • the terminal device shown in this embodiment invokes the target interface of the cloud service provider side server by using the fifth signature information.
  • Step 707 The cloud service provider side server acquires the random reply information included in the fifth signature information.
  • the cloud service provider side server performs decryption calculation on the fifth signature information to obtain the random reply information included in the fifth signature information.
  • Step 708 The cloud service provider side server determines whether the fifth signature information satisfies the second condition, and if yes, performs step 709.
  • the cloud service provider side server may determine whether the fifth signature information satisfies the second condition.
  • the second condition is that the random reply information included in the fifth signature information is the same as the random reply information generated by the cloud service provider side server.
  • the cloud service provider side server Determining, by the cloud service provider side server, that the random reply information included in the fifth signature information is the same as the random reply information generated by the cloud service provider side server, that is, the fifth signature If the information satisfies the second condition, the cloud service provider side server and the terminal device complete the URL confirmation, and the cloud service provider side server and the terminal device that complete the URL confirmation are completed. Data interaction is possible between.
  • the target interface of the cloud service provider side server is successfully invoked by the terminal device.
  • Step 709 The cloud service provider side server generates first signature information.
  • the cloud service provider side server shown in this embodiment performs encryption calculation on the encrypted ticket to generate first signature information, where the encrypted ticket is used to authenticate the terminal device.
  • Step 710 The cloud service provider side server sends the first signature information to the terminal device.
  • the generated first signature information may be sent to the cloud service provider side server.
  • Step 711 The terminal device sends the second signature information to the cloud service provider side server.
  • the terminal device shown in this embodiment may perform decryption calculation on the first signature information to obtain the encryption included in the first signature information. bill.
  • the terminal device performs an encryption calculation on the encrypted ticket to generate the second signature information, and the second signature information generated by the terminal device includes the encrypted ticket.
  • Step 712 The cloud service provider side server acquires the encrypted ticket included in the second signature information.
  • the cloud service provider side server shown in this embodiment may receive the second signature information sent by the terminal device, and perform decryption calculation on the second signature information to obtain the second The encrypted ticket included in the signature information.
  • Step 713 The cloud service provider side server acquires third signature information.
  • the cloud service provider side server may perform encryption calculation on the encrypted ticket included in the second signature information to generate The third signature information.
  • Step 714 The cloud service provider side server sends the first temporary certificate to the terminal device if it is determined that the third condition is met.
  • the cloud service provider side server shown in this embodiment determines whether the second signature information and the third signature information are the same. If the second signature information and the third signature information are the same, Then, the cloud service provider side server can determine that the third condition is met, that is, the third condition shown in this embodiment is: the third signature information is the same as the second signature information.
  • the terminal device may perform encryption calculation on the encrypted ticket by using a long-term key of the terminal device, and request the first temporary to the cloud service provider side server by encrypting the calculated encrypted ticket.
  • a certificate after the terminal device obtains the first temporary certificate, the terminal device can complete an authentication link with the cloud service provider side server by using the first temporary certificate, and mutual authentication
  • the terminal device and the cloud service provider side server can perform a real-time authorization process.
  • the basis of the real-time authorization process shown in this embodiment is the oAuth2.0 protocol real-time authorization process. Shown.
  • Step 715 The first temporary certificate sent by the terminal device to the cloud service provider side server.
  • the first temporary certificate is used to request access to resources on the cloud service provider side server.
  • the first temporary certificate shown in this embodiment requests a pre-authorization code (precode) from the target interface that has been called by the terminal device.
  • precode pre-authorization code
  • the pre-authorization code shown in this embodiment can effectively prevent malicious or fake terminal devices from obtaining authorization from the cloud service provider side server, thereby effectively improving the security of the real-time authorization process.
  • Step 716 The cloud service provider side server sends a pre-authorization code to the terminal device.
  • the cloud service provider side server shown in this embodiment may determine the first temporary certificate stored by the cloud service provider side server and the currently received Whether the first temporary certificate is the same, and if yes, the cloud service provider side server can send the pre-authorization code to the terminal device.
  • Step 717 The terminal device acquires authentication information submitted by the user.
  • the terminal device shown in this embodiment may perform a jump to the target website, so that the target website jumps to include the pre-authorization code.
  • the login page shown in this embodiment further includes a key identifier.
  • the login page shown in this embodiment can receive the user name and password input by the user for login for identity authentication.
  • the authentication information includes the user name and password of the user as an example for example.
  • the authentication information may further include other information for authentication, specifically in the implementation. There is no limit in the example.
  • the cloud service provider side server may pre-store a plurality of user names and passwords corresponding to the user names, and the user may use the terminal device to the cloud service provider side server. Entering the authentication information, if the cloud service provider side server determines that the authentication information currently input by the user is stored on the cloud service provider side server, determining that the user passes the Certified.
  • Step 718 The cloud service provider side server acquires the selected permission.
  • the cloud service provider side server may provide a permission list to the user. .
  • the permission list includes a plurality of permissions to be selected.
  • the user can select a required authority among the plurality of to-be-selected rights through the permission list.
  • the cloud service provider side server receives the selected operation input by the user through the permission list.
  • the cloud service provider side server determines that the selected rights are at least one of the plurality of to-be-selected rights selected by the selected operation in the permission list.
  • the cloud service provider side server is It can be determined that the permission to log in to Weibo through QQ is the selected permission.
  • the selected permission can be bound to the authentication information of the user, and when the subsequent user logs in through the authentication information, The selected permissions bound to the authentication information can be obtained, thereby avoiding repeated selection by the user.
  • Step 719 The cloud service provider side server determines the preselected authority.
  • the pre-selected authority is a permission that the terminal device has selected on the cloud service provider side server.
  • the pre-selected authority shown in this embodiment is a user-defined policy
  • the policy is a resource that the terminal device can access on the cloud service provider side server.
  • the policy includes a privilege and an authorization object
  • the privilege includes a privilege, a resource, an authorization interface, an authorization condition, and the like
  • the authorization object is a user corresponding to the privilege, that is, the cloud service provided in this embodiment.
  • the cloud service provider side server may implement the configuration of the pre-selected authority by using the authority and the authorization object.
  • the cloud service provider side server may create the policy according to an industry domain or a service domain registered by the terminal device.
  • the terminal device can execute the resources described in the pre-authorization policy by default.
  • Step 720 The cloud service provider side server determines a target right corresponding to the terminal device.
  • the cloud service provider side server determines that the intersection of the selected authority and the pre-selected authority is the target authority.
  • the target permission shown in this embodiment is the pre-selected permission.
  • the default authorization policy of the cloud service provider side server is given according to the registered industry domain or service domain.
  • the terminal is allowed to use the default pre-selected permission to restrict the access of the terminal device to the resource of the cloud service provider side server by default.
  • the target permission shown in this embodiment is an intersection of the selected permission and the pre-selected permission.
  • the target rights are included in the selected rights and the pre-selected rights at the same time.
  • the user using the terminal device can be granted the target authority by the cloud service provider side server, so that the cloud service provider side server controls the terminal device. Accessing the cloud service provider side server such that the terminal device can only access the target resource on the cloud service provider side server, and the cloud service provider side server is further capable of controlling user access to the The access mode and the timing of the target resource are not limited in this embodiment.
  • the pre-selected permission shown in this embodiment is “cloud host management authority (cloud host restart, application, viewing, etc.)”, that is, the pre-selected permission shown in this embodiment is a cloud service provider side server.
  • the selected permission shown in FIG. 11 is “developer custom third-party role”, and the cloud service provider side server performs refined rights management on the terminal device by using the selected permission.
  • the terminal device can log in to the public comment network through WeChat under the operation of the user, and the cloud service provider side server can log in to the public comment network through WeChat through the target authority.
  • the time, the number of times, and the like, which are logged into the public commenting network by means of the WeChat may be limited, which is not limited in this embodiment.
  • Step 721 The cloud service provider side server sends an authorization code to the terminal device.
  • the cloud service provider side server determines the target authority
  • the cloud service provider side server sends the authorization code stored by the cloud service provider side server. To the terminal device.
  • Step 722 The terminal device sends the sixth signature information to the cloud service provider side server.
  • the terminal device may perform encryption calculation on the authorization code and the first temporary certificate to generate the sixth signature information after receiving the authorization code sent by the cloud service provider side server.
  • Step 723 The cloud service provider side server determines whether the sixth signature information satisfies the fourth condition, and if yes, sends the target access parameter to the terminal device.
  • the cloud service provider side server may perform decryption calculation on the sixth signature information to obtain the sixth The authorization code included in the signature information and the first temporary certificate.
  • the fourth condition is that the authorization code included in the sixth signature information is the same as the authorization code already stored by the cloud service provider side server.
  • the fourth condition may be that the first temporary certificate included in the sixth signature information is the same as the first temporary certificate that is stored by the cloud service provider side server.
  • the cloud service provider side server may send a target access parameter for accessing the target resource. To the terminal device.
  • the target access parameter includes second token information, a second key identifier, and a second temporary certificate.
  • the second temporary certificate shown in this embodiment is a short-term certificate.
  • the effective time of the second temporary certificate can be configured from a few minutes to a few hours. Once the credentials of the second temporary certificate expire, the cloud service provider side server will no longer identify the second temporary certificate, thereby making the terminal device no longer able to access the cloud service provider through the second temporary certificate. The target resource on the side server.
  • Step 724 The cloud service provider side server sends the target access parameter to the terminal device.
  • the terminal device may access the target resource on the cloud service provider side server by using the received target access parameter, and the specific access process is as follows:
  • Step 725 The terminal device sends the seventh signature information to the cloud service provider side server.
  • the terminal device may perform encryption calculation on the target access parameter to generate the seventh signature information when the terminal device receives the target access parameter.
  • Step 726 The cloud service provider side server generates eighth signature information.
  • the cloud service provider side server performs encryption calculation on the target access parameter generated by the cloud service provider side server to generate eighth signature information.
  • Step 727 The cloud service provider side server determines that the terminal device has the right to access the target resource.
  • the cloud service provider side server determines that the seventh signature information is the same as the eighth signature information, the cloud service provider side server determines that the terminal device has access to the target resource. Permissions, that is, the terminal device has target permissions.
  • the terminal device After the cloud service provider side server determines that the terminal device has the target authority, the terminal device can access the target resource on the cloud service provider side server.
  • the cloud service provider side server can perform refined rights management on the terminal device, so that the cloud service provider side server can be used to the terminal.
  • the device has the capability of open access, and at the same time ensures the security and flexibility of the target device accessing the target resource of the cloud service provider side server, and the signature information is passed between the cloud service provider side server and the terminal device. Data interaction is performed to improve security during data interaction.
  • the cloud service provider side server shown in this embodiment is used to perform the authorization method shown in FIG. 9.
  • the specific implementation process is shown in FIG. 9, which is not specifically described in this embodiment.
  • the first processing unit 901 is configured to perform encryption calculation on the encrypted ticket to generate first signature information, send the first signature information to the terminal device, and receive second signature information sent by the terminal device, where the The second signature information includes the encrypted ticket obtained by the terminal device performing decryption calculation on the first signature information, and performing decryption calculation on the second signature information to obtain the foregoing information included in the second signature information. Encrypting the ticket, performing encryption calculation on the encrypted ticket to generate third signature information, and if it is determined that the third signature information is the same as the second signature information, sending the first temporary certificate to the terminal device .
  • the first processing unit 901 Before the first processing unit 901 sends the first signature information to the terminal device, the first processing unit is specifically configured to receive request information sent by the terminal device, where the request information includes the terminal The first token information that has been stored by the device, the first key identifier, the first token information, and the random reply information generated by the cloud service provider side server are encrypted and calculated to generate fourth signature information, and Sending, to the terminal device, the fourth signature information, so that the first token information included in the fourth signature information and the first stored by the terminal device are determined by the terminal device If the token information is the same, the terminal device sends the fifth signature information to the cloud service provider side server, and the fifth signature information includes the random reply information, and the fifth signature information is decrypted. Calculating to obtain the random reply information included in the fifth signature information, and determining the random reply information included in the fifth signature information and the cloud service Case provider side server generated random reply the same information, the terminal device triggers execution of the step of sending the first information to the signature.
  • the receiving unit 902 is configured to receive a first temporary certificate sent by the terminal device, where the first temporary certificate is used to request access to a resource on the cloud service provider side server;
  • a determining unit 903 configured to determine, according to the first temporary certificate, a target right corresponding to the terminal device, where the target right is a right to access a target resource on the cloud service provider side server;
  • the determining unit 903 is configured to generate a permission list according to the first temporary certificate, where the permission list includes a plurality of to-be-selected rights, and the selected operation input by the user is received through the permission list, and the selected permission is determined. Determining, by the selected authority, at least one of the plurality of to-be-selected rights selected by the selected operation in the permission list, the pre-selected authority being the terminal device And the selected permission on the cloud service provider side server determines that the intersection of the selected authority and the preselected authority is the target authority.
  • the sending unit 904 is configured to send the second temporary certificate corresponding to the target authority to the terminal device, so that the terminal device accesses the target resource by using the second temporary certificate.
  • the sending unit 904 is configured to send the authorization code that has been stored by the cloud service provider side server to the terminal device, and receive the sixth device to send the sixth signature information, where the sixth signature information is
  • the terminal device performs encryption calculation on the authorization code and the first temporary certificate to generate signature information, and if the authorization code included in the sixth signature information is determined, and the cloud service provider side server has stored And the target access parameter used to access the target resource is sent to the terminal device, where the target access parameter includes second token information, a second key identifier, and the second temporary certificate.
  • the second processing unit 905 is configured to receive seventh signature information that is sent by the terminal device to access the target resource, where the seventh signature information is that the terminal device performs encryption calculation on the target access parameter to generate The signature information, the target access parameter generated by the cloud service provider side server is encrypted and calculated to generate eighth signature information, and if it is determined that the seventh signature information is the same as the eighth signature information, Determining that the terminal device has permission to access the target resource.
  • the cloud service provider side server shown in this embodiment is used to perform the authorization method shown in FIG. 5, and the specific implementation process is shown in FIG. 5, which is not specifically described in this embodiment.
  • the first processing unit 1001 is configured to receive first signature information that is sent by the cloud service provider side server, where the first signature information is signature information that is generated by the cloud service provider side server to perform encryption calculation on the encrypted ticket. Decrypting the first signature information to obtain the encrypted ticket, performing encryption calculation on the encrypted ticket to obtain second signature information, and sending the second signature information to the cloud service provider side server.
  • the cloud service provider side server sends the first temporary certificate to the terminal device, where the cloud service provider side server determines that the third signature information and the second signature information are the same.
  • the third signature information includes the encrypted ticket, and the first temporary certificate sent by the cloud service provider side server is received.
  • the first processing unit 1001 is specifically configured to send request information to the cloud service provider side server, where the request information includes the The first token information that has been stored by the terminal device, so that the cloud service provider side server sends the fourth signature information to the terminal device, where the fourth signature information includes the first key identifier, the first Receiving, by the token information and the random reply information generated by the cloud service provider side server, the fourth signature information, if the first token information included in the fourth signature information is determined, If the first token information that is stored by the terminal device is the same, the random reply information is encrypted and calculated to generate fifth signature information, and the fifth signature information is sent to the cloud service provider side.
  • a server configured to determine, at the cloud service provider side server, the random reply information included in the fifth signature information and the cloud service provider side server When the generated random reply information is the same, the first signature information is transmitted to the terminal device.
  • the sending unit 1002 is configured to send the first temporary certificate to the cloud service provider side server, where the first temporary certificate is used to request access to resources on the cloud service provider side server;
  • the sending unit 1002 is configured to receive an authorization code that is stored by the cloud service provider side server that is sent by the cloud service provider side server, and perform encryption calculation on the authorization code and the first temporary certificate. Sending, by the generated sixth signature information, the sixth signature information to the cloud service provider side server, so that if the cloud service provider side server determines that the sixth signature information is included And the authorization code is the same as the authorization code stored by the cloud service provider side server, and the target access parameter used to access the target resource is sent to the terminal device, where the target access parameter includes the second token.
  • the information, the second key identifier, and the second temporary certificate receive the target access parameter.
  • the receiving unit 1003 is configured to receive, by the cloud service provider side server, a second temporary certificate corresponding to the target right.
  • the access unit 1004 is configured to access the target resource on the cloud service provider side server by using the second temporary certificate.
  • the second processing unit 1005 is configured to perform encryption calculation on the target access parameter to generate seventh signature information, and send the seventh signature information to the cloud service provider side server, so that if the cloud service is provided
  • the MME determines that the seventh signature information is the same as the eighth signature information, and determines that the terminal device has the right to access the target resource, where the eighth signature information is the cloud service provider side server
  • the target access parameter generated by the cloud service provider side server is encrypted and calculated to generate signature information.
  • the cloud service provider side server includes:
  • the one or more programs are stored in the memory 302, the one or more programs including instructions that, when executed by the cloud service provider side server, cause the cloud service provider side
  • the server performs the method shown in FIG. 5, FIG. 6, or FIG. 7. The specific execution process is not described in this embodiment.
  • the terminal device includes one or more processor units 403, a storage unit 404, a bus system, and one or more programs, the processor unit 403 and the storage unit 404. Connected by the bus system;
  • the one or more programs are stored in the storage unit 404, the one or more programs including instructions that, when executed by the terminal device, cause the terminal device to perform as shown in FIG.
  • the specific implementation process is not described in this embodiment.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • a computer readable storage medium A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention concerne un procédé d'autorisation et un dispositif associé. Le procédé selon les modes de réalisation de la présente invention comprend les étapes suivantes : un serveur reçoit un premier certificat temporaire envoyé par un dispositif terminal; le serveur détermine une autorité cible en fonction du premier certificat temporaire; et le serveur envoie un second certificat temporaire au dispositif terminal, le second certificat temporaire étant utilisé pour indiquer l'autorité cible, de telle sorte que le dispositif terminal accède à la ressource cible sur le serveur au moyen du second certificat temporaire. On peut voir que le serveur peut mettre en œuvre la gestion d'autorité affinée du dispositif terminal au moyen du second certificat temporaire, c'est-à-dire que le dispositif terminal peut seulement accéder à une autorité cible pour le serveur, garantissant ainsi la sécurité et la flexibilité du dispositif terminal accédant à la ressource cible sur le serveur.
PCT/CN2018/089039 2017-06-14 2018-05-30 Procédé d'autorisation et dispositif associé WO2018228199A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710447707.0 2017-06-14
CN201710447707.0A CN107222485B (zh) 2017-06-14 2017-06-14 一种授权方法以及相关设备

Publications (1)

Publication Number Publication Date
WO2018228199A1 true WO2018228199A1 (fr) 2018-12-20

Family

ID=59948556

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/089039 WO2018228199A1 (fr) 2017-06-14 2018-05-30 Procédé d'autorisation et dispositif associé

Country Status (2)

Country Link
CN (1) CN107222485B (fr)
WO (1) WO2018228199A1 (fr)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107222485B (zh) * 2017-06-14 2020-08-21 腾讯科技(深圳)有限公司 一种授权方法以及相关设备
CN110798434B (zh) * 2018-08-03 2022-04-08 Emc Ip控股有限公司 计算机系统、计算装置所进行的方法和存储介质
CN110839005B (zh) * 2018-08-17 2023-08-01 恩智浦美国有限公司 装置利用云平台的安全登记
CN109450984B (zh) * 2018-10-16 2021-12-21 深信服科技股份有限公司 一种云架构的管理方法、设备及计算机可读存储介质
SG11202104548SA (en) * 2018-11-06 2021-05-28 Visa Int Service Ass Systems and methods for managing a transaction state object
CN109547444B (zh) * 2018-11-28 2021-01-05 腾讯科技(深圳)有限公司 虚拟对象获取方法、装置及电子设备
GB2579590B (en) 2018-12-04 2021-10-13 Imagination Tech Ltd Workload repetition redundancy
GB2579591B (en) * 2018-12-04 2022-10-26 Imagination Tech Ltd Buffer checker
CN111159736B (zh) * 2019-12-25 2022-03-25 联通(广东)产业互联网有限公司 一种区块链的应用管控方法及系统
CN113553600B (zh) * 2020-04-23 2024-06-14 花瓣云科技有限公司 资源获取方法、系统、服务器及存储介质
CN112364307B (zh) * 2020-09-30 2024-03-12 深圳市为汉科技有限公司 软件授权方法及相关设备
CN112000942B (zh) * 2020-10-30 2021-01-22 成都掌控者网络科技有限公司 基于授权行为的权限列表匹配方法、装置、设备及介质
CN113794673B (zh) * 2021-01-29 2024-02-09 北京京东拓先科技有限公司 数据共享方法和装置
CN113779516B (zh) * 2021-06-29 2023-08-18 青岛海尔科技有限公司 一种设备控制方法、装置、存储介质及电子装置
CN113438314B (zh) * 2021-06-29 2023-10-24 青岛海尔科技有限公司 一种设备控制方法、装置、存储介质及电子装置
CN115242449A (zh) * 2022-06-23 2022-10-25 上海微创医疗机器人(集团)股份有限公司 医疗数据上传方法、下载方法、传输系统、设备、介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030125012A1 (en) * 2001-12-28 2003-07-03 Allen Lee S. Micro-credit certificate for access to services on heterogeneous access networks
CN101043403A (zh) * 2007-03-15 2007-09-26 西安电子科技大学 基于域的数字版权保护家庭网络系统
CN102057382A (zh) * 2008-06-06 2011-05-11 微软公司 用于内容共享的临时域成员资格
CN107222485A (zh) * 2017-06-14 2017-09-29 腾讯科技(深圳)有限公司 一种授权方法以及相关设备

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103109510A (zh) * 2012-10-16 2013-05-15 华为技术有限公司 一种资源安全访问方法及装置
CN103685267B (zh) * 2013-12-10 2017-04-12 小米科技有限责任公司 数据访问方法及装置
CN106487765B (zh) * 2015-08-31 2021-10-29 索尼公司 授权访问方法以及使用该方法的设备
CN105208042A (zh) * 2015-10-15 2015-12-30 黄云鸿 一种资源安全访问方法及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030125012A1 (en) * 2001-12-28 2003-07-03 Allen Lee S. Micro-credit certificate for access to services on heterogeneous access networks
CN101043403A (zh) * 2007-03-15 2007-09-26 西安电子科技大学 基于域的数字版权保护家庭网络系统
CN102057382A (zh) * 2008-06-06 2011-05-11 微软公司 用于内容共享的临时域成员资格
CN107222485A (zh) * 2017-06-14 2017-09-29 腾讯科技(深圳)有限公司 一种授权方法以及相关设备

Also Published As

Publication number Publication date
CN107222485A (zh) 2017-09-29
CN107222485B (zh) 2020-08-21

Similar Documents

Publication Publication Date Title
WO2018228199A1 (fr) Procédé d'autorisation et dispositif associé
EP2875463B1 (fr) Procédé et système d'identité de navigateur
WO2019072039A1 (fr) Procédé, terminal et serveur de gestion de certificat de service
JP5596785B2 (ja) 仮想モバイル機器
US10078599B2 (en) Application access control method and electronic apparatus implementing the same
JP5570593B2 (ja) 仮想モバイル機器の機能移行
WO2018223797A1 (fr) Procédé, appareil terminal et serveur de réponse de données
US20160253519A1 (en) Apparatus and method for trusted execution environment file protection
WO2017206833A1 (fr) Procédé, appareil et serveur de paiement
WO2017211205A1 (fr) Procédé et dispositif de mise à jour de liste blanche
WO2019047745A1 (fr) Procédé de partage de données, appareil terminal et support de stockage
KR20170096117A (ko) 멀티-테넌트 컴퓨팅 시스템의 보안 및 허가 아키텍처
WO2017147890A1 (fr) Procédé d'affichage de message court de code de vérification et terminal mobile
WO2020024929A1 (fr) Procédé de mise à niveau d'une plage d'application de service d'une carte d'identité électronique, et dispositif de terminal
WO2018000370A1 (fr) Procédé d'authentification de terminal mobile et terminal mobile
US11017066B2 (en) Method for associating application program with biometric feature, apparatus, and mobile terminal
CN106815518B (zh) 一种应用安装方法及电子设备
WO2014000652A1 (fr) Terminal, dispositif et procédé d'installation d'un module complémentaire de navigateur
CN110474864B (zh) 一种注册、登录移动应用程序的方法及电子设备
EP3764258B1 (fr) Construction d'une application de confiance commune destinée à une pluralité d'applications
JP2018512106A (ja) スマートイメージを使用したフィッシング対策のための方法およびシステム
WO2020251744A1 (fr) Système et procédé de vérification électronique de revendications
WO2019184631A1 (fr) Procédé et appareil de traitement d'informations, support d'informations lisible par ordinateur et terminal
KR102180529B1 (ko) 어플리케이션 접근 제어 방법 및 이를 구현하는 전자 장치
EP4187420A1 (fr) Procédé de gestion de ressources, dispositif informatique, équipement informatique et support de stockage lisible

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18817302

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18817302

Country of ref document: EP

Kind code of ref document: A1