WO2020102974A1 - Data access method, data access apparatus, and mobile terminal - Google Patents

Data access method, data access apparatus, and mobile terminal

Info

Publication number
WO2020102974A1
WO2020102974A1 PCT/CN2018/116434 CN2018116434W WO2020102974A1 WO 2020102974 A1 WO2020102974 A1 WO 2020102974A1 CN 2018116434 W CN2018116434 W CN 2018116434W WO 2020102974 A1 WO2020102974 A1 WO 2020102974A1
Authority
WO
WIPO (PCT)
Prior art keywords
metadata
check value
access token
data access
clear text
Prior art date
Application number
PCT/CN2018/116434
Other languages
French (fr)
Chinese (zh)
Inventor
杨阳
郑忠
Original Assignee
深圳市欢太科技有限公司
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市欢太科技有限公司, Oppo广东移动通信有限公司 filed Critical 深圳市欢太科技有限公司
Priority to PCT/CN2018/116434 priority Critical patent/WO2020102974A1/en
Priority to CN201880098468.5A priority patent/CN112823503B/en
Publication of WO2020102974A1 publication Critical patent/WO2020102974A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application belongs to the field of information processing technology, and particularly relates to a data access method, a data access device, a mobile terminal, and a computer-readable storage medium.
  • the open authentication application program interface (OAuth, An open protocol to allow secure API authorization) in a simple and standard method from desktop applications and web application standards is a third-party application program interface (API) authentication authorization access protocol.
  • API application program interface
  • This application provides a data access method, a data access device, a mobile terminal, and a computer-readable storage medium, which can improve the security of private information transmission.
  • the first aspect of the present application provides a data access method, including:
  • the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
  • the data access request further includes a key used to encrypt the access token after being encrypted using a public key
  • the decrypting the encrypted access token includes:
  • the encrypted access token is decrypted according to the decrypted key.
  • the second metadata includes a second clear text check value, and then if the encrypted access token is successfully decrypted, the access order is obtained
  • the second metadata included in the card is:
  • the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically:
  • the second metadata included in the access token is specifically:
  • the data access method further includes:
  • the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically: :
  • the terminal identifier is a legal terminal identifier
  • a clear text verification value is the same, and in response to the data access request, if the second clear text verification value is different from the first clear text verification value, the data access request is identified as illegal access.
  • the second metadata further includes a second ciphertext verification value
  • the data access request includes the subject ciphertext
  • responding to the data access request is specifically:
  • the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
  • the second metadata further includes a second timestamp, then if the encrypted access order is successfully decrypted Card, and obtaining the second metadata included in the access token is specifically:
  • responding to the data access request is specifically:
  • the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to The preset time difference value responds to the data access request.
  • the data access method further includes:
  • the second metadata further includes a second time stamp and a second ciphertext verification value, and the data access request Including the main body ciphertext, if the encrypted access token is successfully decrypted, acquiring the second metadata included in the access token is specifically:
  • responding to the data access request is specifically:
  • the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to Preset a time difference, compare the first ciphertext check value corresponding to the subject ciphertext with the second ciphertext check value, if the first ciphertext check value and the second ciphertext The verification value is the same and responds to the data access request.
  • the second aspect of the present application provides a data access device, including:
  • a first data access request receiving unit configured to receive a data access request, where the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
  • An access token decryption unit used to decrypt the encrypted access token
  • a second metadata acquisition unit for acquiring the second metadata included in the access token if the encrypted access token is successfully decrypted
  • a third aspect of the present application provides a mobile terminal, including a memory, a processor, and a computer program stored in the memory and executable on the processor.
  • the processor implements the computer program as follows step:
  • the data access request further includes a key used to encrypt the access token after being encrypted using a public key, and correspondingly, the decrypting the encryption Later access tokens include:
  • the encrypted access token is decrypted according to the decrypted key.
  • the latest public key private key pair in the system is obtained, And return the public key in the public key private key pair to the client.
  • the second metadata includes a second clear text check value, and if the encrypted access token is successfully decrypted, the access token is obtained
  • the included second metadata is specifically:
  • the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically:
  • the second metadata includes a terminal identification, and if the encrypted access token is successfully decrypted, the The second metadata included in the access token is specifically:
  • the selection of whether to respond to the data access request according to the second metadata and the first metadata specifically includes:
  • the terminal identifier is a legal terminal identifier
  • a clear text verification value is the same, and in response to the data access request, if the second clear text verification value is different from the first clear text verification value, the data access request is identified as illegal access.
  • the second metadata further includes a second ciphertext verification value, and the data access request includes the subject ciphertext, then If the encrypted access token is successfully decrypted, obtaining the second metadata included in the access token is specifically:
  • the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, if the The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
  • the second metadata further includes a second time stamp, and then if the encrypted access token is successfully decrypted , Obtaining the second metadata included in the access token is specifically:
  • responding to the data access request is specifically:
  • the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to The preset time difference value responds to the data access request.
  • a fourth aspect of the present application provides a computer-readable storage medium that stores a computer program, and when the computer program is executed by a processor, implements the steps of the data access method.
  • FIG. 1 is a schematic flowchart of a data access method according to Embodiment 1 of the present application
  • FIG. 2 is a schematic flowchart of another data access method according to Embodiment 2 of the present application.
  • FIG. 3 is a schematic structural diagram of a data access device according to Embodiment 3 of the present application.
  • FIG. 4 is a schematic structural diagram of another data access device according to Embodiment 4 of the present application.
  • FIG. 5 is a schematic diagram of a mobile terminal provided in Embodiment 5 of the present application.
  • the data access method in the embodiment of the present application includes:
  • Step S11 Receive a data access request, where the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
  • the client constructs the access token according to the second metadata.
  • the second metadata is constructed based on the first metadata.
  • the second metadata may be constructed based on part or all of the first metadata.
  • the first metadata may be metadata corresponding to plain text or metadata corresponding to cipher text, and the first metadata may be selected to be transmitted in plain text.
  • the data access request includes a key used to encrypt the access token.
  • the access token needs to be encrypted before transmission, for example, using a symmetric encryption algorithm to encrypt,
  • Step S12 decrypt the encrypted access token
  • Step S13 If the encrypted access token is successfully decrypted, obtain the second metadata included in the access token;
  • the encrypted access token can be successfully decrypted.
  • Step S14 Select whether to respond to the data access request according to the second metadata and the first metadata.
  • the second metadata and the first metadata include information of the same attribute, for example, if both the second metadata and the first metadata include a check value, then select whether the check value is the same In response to the data access request, if the verification values are the same, it responds to the data access request, such as feeding back data corresponding to the data access request to the client. Otherwise, it does not respond to the data access request.
  • the public key is used to encrypt the key used to encrypt the access token, as shown in Figure 2 As shown:
  • Step S22 using a preset private key to decrypt the key used to encrypt the access token after being encrypted using the public key;
  • a decryption algorithm used to decrypt the access token and a private key used to decrypt the encrypted key used to encrypt the access token are set.
  • the server decrypts the key used to encrypt the access token after being encrypted by the public key according to the private key. If the client's public key is correct, the server can decrypt the key used to encrypt the access token based on the preset private key.
  • step S23 if the key used to encrypt the access token is decrypted, the encrypted access token is decrypted according to the decrypted key.
  • Step S24 If the encrypted access token is successfully decrypted, obtain the second metadata included in the access token;
  • Step S25 Select whether to respond to the data access request according to the second metadata and the first metadata.
  • step S24 and step S25 are the same as step S13 and step S14 of the first embodiment, and will not be repeated here.
  • the client in order to improve the success rate of decrypting the key, if the key used to encrypt the access token is not decrypted, the latest public key private key pair in the system is obtained, and the public key The public key in the private key pair is returned to the client.
  • the client here refers to a legitimate client recorded by the server, which is not necessarily the client that sends the current data access request, so as to avoid sending the public key to the illegal client.
  • the second metadata includes a second clear text check value
  • the step S13 is specifically:
  • step S14 (or step S25) is specifically:
  • the first clear text check value can be directly in the first metadata, that is, the first clear text check value can be sent by sending the first metadata; in addition, the first clear text check value can also be determined by subsequent calculations For example, when the first metadata includes only plaintext metadata, after receiving the plaintext metadata, the server calculates the first plaintext check value corresponding to the first metadata according to the plaintext metadata.
  • the second metadata includes the second terminal identifier, then the step S13 (or step S24) is specifically:
  • the data access method further includes:
  • the terminal identifier corresponding to the client that sends the data access request is obtained. If the terminal identifier corresponding to the obtained client is the same as the terminal identifier obtained from the access token, it is determined that the terminal identifier is a legal terminal identifier, otherwise, It is determined that the terminal identification is an illegal terminal identification. Or, the server pre-stores a legal terminal ID, if the terminal ID obtained from the access token is the same as any stored terminal ID, the terminal ID is determined to be a legal terminal ID, otherwise, the terminal ID is determined to be illegal Terminal identification.
  • the second plaintext check value is further compared with the first plaintext check value corresponding to the first metadata, and if the second plain text check value is The first clear text verification value is the same, and in response to the data access request, if the second clear text verification value is different from the first clear text verification value, the data access request is identified as illegal access. Judging whether to respond to the data access request by the terminal identification and the clear text verification value can further improve the accuracy of the judgment result, and thus can ensure the security of the client's private data.
  • the terminal identification after verifying that the terminal identification is a legal terminal identification, it is verified whether the frequency of client access corresponding to the terminal identification is legal.
  • the corresponding access current limit if legal, compares the second clear text check value with the first clear text check value corresponding to the first metadata, if the second clear text check value is equal to the first clear text
  • the verification value is the same, and in response to the data access request, if the second plaintext verification value is different from the first plaintext verification value, the data access request is identified as illegal access.
  • the second metadata further includes a second ciphertext verification value
  • the data access request includes the subject ciphertext
  • the second clear text verification value may also be acquired.
  • the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, if the The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
  • the data access request is identified as illegal access.
  • step S13 is specifically:
  • the terminal identifier is a legal terminal identifier
  • a plaintext check value is the same
  • the text verification value is the same and responds to the data access request.
  • the validity time of the access token can be set, and the validity time is reflected by the second time stamp.
  • the second metadata includes a second time stamp, and the step S13 (or step S24) is specifically:
  • responding to the data access request is specifically:
  • the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to The preset time difference value responds to the data access request.
  • the data access method further includes:
  • the second metadata further includes a second timestamp and a second ciphertext verification value
  • the data access request includes the subject ciphertext
  • the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to Preset a time difference, compare the first ciphertext check value corresponding to the subject ciphertext with the second ciphertext check value, if the first ciphertext check value and the second ciphertext The verification value is the same and responds to the data access request.
  • the encrypted access token If the encrypted access token is successfully decrypted, obtain the terminal identifier, second time stamp, second clear text check value, and second cipher text check value included in the access token;
  • the terminal identification is a legal terminal identification
  • obtain the first time stamp of the service party itself and if the difference between the second time stamp and the first time stamp is less than or equal to a preset time difference, the The second clear text check value is compared with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, the subject cipher text is mapped Compares the first ciphertext verification value with the second ciphertext verification value, and responds to the data access request if the first ciphertext verification value is the same as the second ciphertext verification value.
  • step S13 is specifically as follows:
  • the encrypted access token If the encrypted access token is successfully decrypted, obtain the terminal identifier, second time stamp, second clear text check value, and second cipher text check value included in the access token;
  • the second metadata is constructed based on the first metadata.
  • the second metadata may be constructed based on part or all of the first metadata.
  • the first metadata may be metadata corresponding to plain text or metadata corresponding to cipher text, and the first metadata may optionally be transmitted in plain text.
  • the data access request includes a key used to encrypt the access token.
  • the access token decryption unit 32 is used to decrypt the encrypted access token
  • the second metadata obtaining unit 33 is configured to obtain the second metadata included in the access token if the encrypted access token is successfully decrypted;
  • the server since the data access request includes the encrypted access token, the server will only choose whether to respond to the received after decrypting the access token and comparing the second metadata with the first metadata
  • the data access request that is, due to the addition of a selection process, can ensure the security of the client's private information without requiring the client's key.
  • the fourth embodiment of the present application provides another data access device.
  • the above data access device may be integrated into a mobile terminal.
  • the data access device 4 in the embodiment of the present application includes:
  • the data access request receiving unit 41 is configured to receive a data access request including first metadata, an encrypted access token, and a public key to encrypt the key used to encrypt the access token,
  • the access token includes second metadata;
  • the key decryption unit 42 is used to decrypt the key used to encrypt the access token after being encrypted using the public key by using a preset private key;
  • the access token decrypting unit 43 is configured to decrypt the encrypted access token according to the decrypted key if the key used to encrypt the access token is decrypted.
  • the second metadata obtaining unit 44 is configured to obtain second metadata included in the access token if the encrypted access token is successfully decrypted;
  • the data access request selection response unit 45 is configured to select whether to respond to the data access request based on the second metadata and the first metadata.
  • the data access device 4 in order to increase the success rate of decrypting the key, further includes:
  • the public key sending unit is used to obtain the latest public key private key pair in the system if the key used to encrypt the access token is not decrypted, and return the public key in the public key private key pair to the customer end.
  • the client here refers to a legitimate client recorded by the server, which is not necessarily the client that sends the current data access request, so as to avoid sending the public key to the illegal client.
  • the second metadata includes a second clear text check value
  • the second metadata acquisition unit 44 is specifically configured to:
  • the data access request selection response unit 45 is specifically used for:
  • the second metadata includes the second terminal identification, and the second metadata acquisition unit 44 is specifically configured to:
  • the data access device 4 further includes:
  • the terminal identifier is a legal judgment unit, which is used to judge whether the terminal identifier is a legal terminal identifier, and mark the data access request as illegal access when the terminal identifier is an illegal terminal identifier.
  • the data access request selection response unit 45 is executed, and the data access request selection response unit 45 is specifically used to:
  • the data access device 4 further includes: an access frequency legality judgment unit, configured to verify that the terminal ID corresponds to the terminal ID after verifying that the terminal ID is a legal terminal ID Whether the access frequency of the client is legal, and if not, the access limit corresponding to this data access request is limited. If it is legal, the data access request selection response unit 45 is executed, and the data access request selection response unit 45 is specifically used to:
  • the second metadata further includes a second ciphertext verification value
  • the data access request includes the subject ciphertext
  • the second metadata acquisition unit 44 is specifically configured to:
  • the data access request selection response unit 45 is specifically used for:
  • the data access request is identified as illegal access.
  • the second metadata obtaining unit 44 is specifically configured to:
  • the data access device 4 further includes:
  • Whether the terminal identification is legal judgment unit is used to determine whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identify the data access request as illegal access;
  • the data access request selection response unit 45 is specifically configured to: if the terminal identification is a legal terminal identification, verify the second clear text check value and the first clear text check corresponding to the first metadata Value comparison, if the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, If the first ciphertext verification value is the same as the second ciphertext verification value, respond to the data access request.
  • the validity time of the access token can be set, and the validity time is reflected by the second time stamp.
  • the second metadata includes a second timestamp, and the second metadata acquisition unit 44 is specifically configured to:
  • the data access request selection response unit 45 is specifically used for:
  • the server itself is obtained
  • the first timestamp if the difference between the second timestamp and the first timestamp is less than or equal to a preset time difference, respond to the data access request.
  • the second metadata further includes a second timestamp and a second ciphertext verification value, and the data access request includes the subject ciphertext, then the second metadata acquisition unit 44 is specifically configured to :
  • the server itself is obtained
  • the first timestamp if the difference between the second timestamp and the first timestamp is less than or equal to a preset time difference, the first ciphertext check value corresponding to the subject ciphertext is The second ciphertext verification value is compared, and if the first ciphertext verification value is the same as the second ciphertext verification value, respond to the data access request.
  • the second metadata acquisition unit 44 is specifically used to:
  • Whether the terminal identification is legal judgment unit is used to determine whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identify the data access request as illegal access;
  • the data access request selection response unit 45 is specifically configured to: if the terminal identification is a legal terminal identification, acquire the first time stamp of the service party itself, and if the difference between the second time stamp and the first time stamp is If the value is less than or equal to the preset time difference, compare the second clear text check value with the first clear text check value corresponding to the first metadata, if the second clear text check value is equal to the first
  • the plain text check value is the same, and the first cipher text check value corresponding to the subject cipher text is compared with the second cipher text check value, if the first cipher text check value is the second cipher text
  • the verification value is the same and responds to the data access request.
  • the second metadata acquisition unit 44 is specifically used to:
  • the encrypted access token If the encrypted access token is successfully decrypted, obtain the terminal identifier, second time stamp, second clear text check value, and second cipher text check value included in the access token;
  • the data access device 4 further includes:
  • Whether the terminal identification is legal judgment unit is used to determine whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identify the data access request as illegal access;
  • the terminal ID is a legal terminal ID
  • verify whether the client's access frequency corresponding to the terminal ID is legal and if the client's access frequency corresponding to the terminal ID is legal, obtain the first time stamp of the server itself.
  • the difference between the second time stamp and the first time stamp is less than or equal to a preset time difference, and the second clear text check value is compared with the first clear text check value corresponding to the first metadata, If the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, if the The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
  • the mobile terminal in the embodiment of the present application includes: a memory 501, one or more processors 502 (only one is shown in FIG. 5) and stored in the memory 501 A computer program that can be run on a processor.
  • the memory 501 is used to store software programs and modules.
  • the processor 502 executes various functional applications and data processing by running the software programs and units stored in the memory 501 to obtain resources corresponding to the preset events. Specifically, the processor 502 implements the following steps by running the above computer program stored in the memory 501:
  • the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
  • the data access request further includes a public key for encryption The key of the access token
  • the decrypting the encrypted access token includes:
  • the encrypted access token is decrypted according to the decrypted key.
  • the processor 502 further implements the following steps when running the above-mentioned computer program stored in the memory 501:
  • the key used to encrypt the access token is not decrypted, the latest public key private key pair in the system is obtained, and the public key in the public key private key pair is returned to the client.
  • the second metadata includes a second clear text check value, then if the encrypted access order is successfully decrypted Card, and obtaining the second metadata included in the access token is specifically:
  • the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically:
  • the second metadata includes a terminal identification, then if the encrypted access token is successfully decrypted, the The second metadata included in the access token is specifically:
  • the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically:
  • responding to the data access request is specifically:
  • the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, if the The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
  • the second metadata further includes a second timestamp, if the encrypted access token is successfully decrypted , Obtaining the second metadata included in the access token is specifically:
  • the processor 502 further implements the following steps when running the above computer program stored in the memory 501:
  • the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to Preset a time difference, compare the first ciphertext check value corresponding to the subject ciphertext with the second ciphertext check value, if the first ciphertext check value and the second ciphertext The verification value is the same and responds to the data access request.
  • the above mobile terminal may further include: one or more input devices 503 (only one is shown in FIG. 5) and one or more output devices 504 (only one is shown in FIG. 5).
  • the memory 501, the processor 502, the input device 503, and the output device 504 are connected through a bus 505.
  • the so-called processor 502 may be a central processing unit (Central Processing Unit, CPU), and the processor may also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP) , Application Specific Integrated Circuit (Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the input device 503 may include a keyboard, a touchpad, a fingerprint sensor (for collecting user's fingerprint information and fingerprint direction information), a microphone, etc.
  • the output device 504 may include a display, a speaker, and the like.
  • the memory 501 may include a read-only memory and a random access memory, and provide instructions and data to the processor 502. Part or all of the memory 501 may also include non-volatile random access memory. For example, the memory 501 may also store device type information.
  • each functional unit and module is used as an example for illustration.
  • the above-mentioned functions may be allocated by different functional units
  • Module completion means that the internal structure of the above device is divided into different functional units or modules to complete all or part of the functions described above.
  • the functional units and modules in the embodiments may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above integrated unit may use hardware It can also be implemented in the form of software functional units.
  • the specific names of each functional unit and module are only for the purpose of distinguishing each other, and are not used to limit the protection scope of the present application.
  • the disclosed device and method may be implemented in other ways.
  • the system embodiments described above are only schematic.
  • the division of the above-mentioned modules or units is only a division of logical functions.
  • there may be other divisions for example, multiple units or components may be combined Or it can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • the above integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium.
  • the present application can implement all or part of the processes in the methods of the above embodiments, and can also be completed by instructing relevant hardware through a computer program.
  • the above computer program can be stored in a computer-readable storage medium, and the computer program When executed by the processor, the steps of the foregoing method embodiments may be implemented.
  • the above-mentioned computer program includes computer program code, and the above-mentioned computer program code may be in the form of source code, object code, executable file or some intermediate form.
  • the above-mentioned computer-readable storage medium may include: any entity or device capable of carrying the above-mentioned computer program code, recording medium, U disk, removable hard disk, magnetic disk, optical disk, computer-readable memory, read-only memory (ROM, Read-Only Memory) ), Random Access Memory (RAM, Random Access Memory), electrical carrier signals, telecommunications signals and software distribution media, etc.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • electrical carrier signals telecommunications signals and software distribution media, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A data access method, a data access apparatus, a mobile terminal, and a computer-readable storage medium. The data access method comprises: receiving a data access request, the data access request comprising first metadata and an encrypted access token, the access token comprising second metadata (S11); decrypting said access token (S12); if said access token is successfully decrypted, obtaining the second metadata comprised in the access token (S13); and selecting, according to the second metadata and the first metadata, whether to respond to the data access request (S14). The method can ensure the security of private information of a client.

Description

一种数据访问方法、数据访问装置及移动终端Data access method, data access device and mobile terminal 技术领域Technical field
本申请属于信息处理技术领域,尤其涉及一种数据访问方法、数据访问装置、移动终端及计算机可读存储介质。The present application belongs to the field of information processing technology, and particularly relates to a data access method, a data access device, a mobile terminal, and a computer-readable storage medium.
背景技术Background technique
开放鉴权应用程序接口(OAuth,An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications)标准是一个第三方应用程序接口(API)鉴权授权访问协议,该OAuth标准能够让客户端在不暴露客户端密钥的情况下将客户端在某个服务提供商保存的隐私信息暴露给第三方应用。The open authentication application program interface (OAuth, An open protocol to allow secure API authorization) in a simple and standard method from desktop applications and web application standards is a third-party application program interface (API) authentication authorization access protocol. Let the client expose the private information saved by the client to a third-party application without exposing the client key.
发明内容Summary of the invention
本申请提供一种数据访问方法、数据访问装置、移动终端及计算机可读存储介质,可提高隐私信息传输的安全性。This application provides a data access method, a data access device, a mobile terminal, and a computer-readable storage medium, which can improve the security of private information transmission.
本申请的第一方面提供了一种数据访问方法,包括:The first aspect of the present application provides a data access method, including:
接收数据访问请求,所述数据访问请求包括第一元数据以及加密后的访问令牌,所述访问令牌包括第二元数据;Receiving a data access request, the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
解密所述加密后的访问令牌;Decrypt the encrypted access token;
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据;If the encrypted access token is successfully decrypted, obtain the second metadata included in the access token;
根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。Select whether to respond to the data access request according to the second metadata and the first metadata.
在第一方面为基础的第一种可能的实现方式中,所述数据访问请求还包括采用公钥加密后的用于加密所述访问令牌的密钥;In a first possible implementation manner based on the first aspect, the data access request further includes a key used to encrypt the access token after being encrypted using a public key;
对应地,所述解密所述加密后的访问令牌包括:Correspondingly, the decrypting the encrypted access token includes:
采用预设的私钥解密所述采用公钥加密后的所述用于加密所述访问令牌的密钥;Using a preset private key to decrypt the key used to encrypt the access token after being encrypted using the public key;
若解密出用于加密所述访问令牌的密钥,根据解密出的密钥解密所述加密后的访问令牌。If the key used to encrypt the access token is decrypted, the encrypted access token is decrypted according to the decrypted key.
在第一方面的第一种可能的实现方式为基础的第二种可能的实现方式中,若没有解密出用于加密所述访问令牌的密钥,获取系统中最新的公钥私钥对,并将所述公钥私钥对中的公钥返回至客户端。In a second possible implementation based on the first possible implementation of the first aspect, if the key used to encrypt the access token is not decrypted, the latest public key private key pair in the system is obtained And return the public key in the public key private key pair to the client.
在第一方面为基础的第三种可能的实现方式中,所述第二元数据包括第二明文校验值,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In a third possible implementation manner based on the first aspect, the second metadata includes a second clear text check value, and then if the encrypted access token is successfully decrypted, the access order is obtained The second metadata included in the card is:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二明文校验值;If the encrypted access token is successfully decrypted, obtain the second clear text check value included in the access token;
对应地,所述根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求具体为:Correspondingly, the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically:
将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文 校验值不同,标识所述数据访问请求为非法访问。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, responding to the data In the access request, if the second clear text check value is different from the first clear text check value, the data access request is identified as illegal access.
在第一方面的第三种可能实现方式为基础的第四种可能的实现方式中,所述第二元数据包括终端标识,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In a fourth possible implementation based on the third possible implementation of the first aspect, where the second metadata includes the terminal identification, if the encrypted access token is successfully decrypted, the The second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的终端标识;If the encrypted access token is successfully decrypted, obtain the terminal identification included in the access token;
对应地,所述数据访问方法还包括:Correspondingly, the data access method further includes:
判断所述终端标识是否为合法的终端标识,并在所述终端标识为非法的终端标识时,标识所述数据访问请求为非法访问。Judging whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identifying the data access request as illegal access.
在第一方面的第四种可能的实现方式为基础的第五种可能的实现方式中,所述根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求具体为:In a fifth possible implementation based on the fourth possible implementation of the first aspect, the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically: :
若所述终端标识为合法的终端标识,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。If the terminal identifier is a legal terminal identifier, compare the second plain text check value with the first plain text check value corresponding to the first metadata, and if the second plain text check value is equal to the first A clear text verification value is the same, and in response to the data access request, if the second clear text verification value is different from the first clear text verification value, the data access request is identified as illegal access.
在第一方面的第三种可能的实现方式为基础的第六种可能的实现方式中,所述第二元数据还包括第二密文校验值,所述数据访问请求包括主体密文,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In a sixth possible implementation manner based on the third possible implementation manner of the first aspect, the second metadata further includes a second ciphertext verification value, and the data access request includes the subject ciphertext, Then, if the encrypted access token is successfully decrypted, acquiring the second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second ciphertext verification value included in the access token;
对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
在第一方面的第三种可能的实现方式为基础的第七种可能的实现方式中,所述第二元数据还包括第二时间戳,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In a seventh possible implementation based on the third possible implementation of the first aspect, the second metadata further includes a second timestamp, then if the encrypted access order is successfully decrypted Card, and obtaining the second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳;If the encrypted access token is successfully decrypted, obtain the second time stamp included in the access token;
对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to The preset time difference value responds to the data access request.
在第一方面的第七种可能的实现方式为基础的第八种可能的实现方式中,所述数据访问方法还包括:In an eighth possible implementation manner based on the seventh possible implementation manner of the first aspect, the data access method further includes:
若所述第二时间戳与所述第一时间戳的差值大于所述预设时间差值,对所述数据访问请求执行限流操作。If the difference between the second time stamp and the first time stamp is greater than the preset time difference, a current limiting operation is performed on the data access request.
在第一方面的第三种可能的实现方式为基础的第九种可能的实现方式中,所述第二元数据还包括第二时间戳和第二密文校验值,所述数据访问请求包括主体密文,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In a ninth possible implementation manner based on the third possible implementation manner of the first aspect, the second metadata further includes a second time stamp and a second ciphertext verification value, and the data access request Including the main body ciphertext, if the encrypted access token is successfully decrypted, acquiring the second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳和第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second time stamp and the second ciphertext verification value included in the access token;
对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to Preset a time difference, compare the first ciphertext check value corresponding to the subject ciphertext with the second ciphertext check value, if the first ciphertext check value and the second ciphertext The verification value is the same and responds to the data access request.
本申请的第二方面提供了一种数据访问装置,包括:The second aspect of the present application provides a data access device, including:
第一数据访问请求接收单元,用于接收数据访问请求,所述数据访问请求包括第一元数据以及加密后的访问令牌,所述访问令牌包括第二元数据;A first data access request receiving unit, configured to receive a data access request, where the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
访问令牌解密单元,用于解密所述加密后的访问令牌;An access token decryption unit, used to decrypt the encrypted access token;
第二元数据获取单元,用于若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据;A second metadata acquisition unit for acquiring the second metadata included in the access token if the encrypted access token is successfully decrypted;
数据访问请求选择响应单元,用于根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。The data access request selection response unit is configured to select whether to respond to the data access request based on the second metadata and the first metadata.
本申请的第三方面提供了一种移动终端,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如下步骤:A third aspect of the present application provides a mobile terminal, including a memory, a processor, and a computer program stored in the memory and executable on the processor. The processor implements the computer program as follows step:
接收数据访问请求,所述数据访问请求包括第一元数据以及加密后的访问令牌,所述访问令牌包括第二元数据;Receiving a data access request, the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
解密所述加密后的访问令牌;Decrypt the encrypted access token;
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据;If the encrypted access token is successfully decrypted, obtain the second metadata included in the access token;
根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。Select whether to respond to the data access request according to the second metadata and the first metadata.
在第三方面为基础的第一种可能的实现方式中,所述数据访问请求还包括采用公钥加密后的用于加密所述访问令牌的密钥,对应地,所述解密所述加密后的访问令牌包括:In a first possible implementation manner based on the third aspect, the data access request further includes a key used to encrypt the access token after being encrypted using a public key, and correspondingly, the decrypting the encryption Later access tokens include:
采用预设的私钥解密所述采用公钥加密后的所述用于加密所述访问令牌的密钥;Using a preset private key to decrypt the key used to encrypt the access token after being encrypted using the public key;
若解密出用于加密所述访问令牌的密钥,根据解密出的密钥解密所述加密后的访问令牌。If the key used to encrypt the access token is decrypted, the encrypted access token is decrypted according to the decrypted key.
在第三方面的第一种可能的实现方式为基础的第二种可能的实现方式,若没有解密出用于加 密所述访问令牌的密钥,获取系统中最新的公钥私钥对,并将所述公钥私钥对中的公钥返回至客户端。In the second possible implementation based on the first possible implementation of the third aspect, if the key used to encrypt the access token is not decrypted, the latest public key private key pair in the system is obtained, And return the public key in the public key private key pair to the client.
在第三方面为基础的第三种可能的实现方式,所述第二元数据包括第二明文校验值,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In a third possible implementation manner based on the third aspect, the second metadata includes a second clear text check value, and if the encrypted access token is successfully decrypted, the access token is obtained The included second metadata is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二明文校验值;If the encrypted access token is successfully decrypted, obtain the second clear text check value included in the access token;
对应地,所述根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求具体为:Correspondingly, the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically:
将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, responding to the data In the access request, if the second clear text check value is different from the first clear text check value, the data access request is identified as illegal access.
在第三方面的第三种可能的实现方式为基础的第四种可能的实现方式,所述第二元数据包括终端标识,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In a fourth possible implementation based on the third possible implementation of the third aspect, the second metadata includes a terminal identification, and if the encrypted access token is successfully decrypted, the The second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的终端标识;If the encrypted access token is successfully decrypted, obtain the terminal identification included in the access token;
对应地,所述处理器执行所述计算机程序时还实现以下步骤:Correspondingly, the processor also implements the following steps when executing the computer program:
判断所述终端标识是否为合法的终端标识,并在所述终端标识为非法的终端标识时,标识所述数据访问请求为非法访问。Judging whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identifying the data access request as illegal access.
在第三方面的第四种可能的实现方式为基础的第五种可能的实现方式,所述根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求具体为:According to a fifth possible implementation manner based on the fourth possible implementation manner of the third aspect, the selection of whether to respond to the data access request according to the second metadata and the first metadata specifically includes:
若所述终端标识为合法的终端标识,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。If the terminal identifier is a legal terminal identifier, compare the second plain text check value with the first plain text check value corresponding to the first metadata, and if the second plain text check value is equal to the first A clear text verification value is the same, and in response to the data access request, if the second clear text verification value is different from the first clear text verification value, the data access request is identified as illegal access.
在第三方面的第三种可能的实现方式为基础的第六种可能的实现方式,所述第二元数据还包括第二密文校验值,所述数据访问请求包括主体密文,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In a sixth possible implementation manner based on the third possible implementation manner in the third aspect, the second metadata further includes a second ciphertext verification value, and the data access request includes the subject ciphertext, then If the encrypted access token is successfully decrypted, obtaining the second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second ciphertext verification value included in the access token;
对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, if the The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
在第三方面的第三种可能的实现方式为基础的第七种可能的实现方式,所述第二元数据还包括第二时间戳,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据 具体为:According to a seventh possible implementation manner based on the third possible implementation manner of the third aspect, the second metadata further includes a second time stamp, and then if the encrypted access token is successfully decrypted , Obtaining the second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳;If the encrypted access token is successfully decrypted, obtain the second time stamp included in the access token;
对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to The preset time difference value responds to the data access request.
本申请的第四方面提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现如所述数据访问方法的步骤。A fourth aspect of the present application provides a computer-readable storage medium that stores a computer program, and when the computer program is executed by a processor, implements the steps of the data access method.
附图说明BRIEF DESCRIPTION
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly explain the technical solutions in the embodiments of the present application, the following will briefly introduce the drawings required in the embodiments or the description of the prior art. Obviously, the drawings in the following description are only for the application For some embodiments, those of ordinary skill in the art can obtain other drawings based on these drawings without paying any creative labor.
图1是本申请实施例一提供的一种数据访问方法的流程示意图;FIG. 1 is a schematic flowchart of a data access method according to Embodiment 1 of the present application;
图2是本申请实施例二提供的另一种数据访问方法的流程示意图;2 is a schematic flowchart of another data access method according to Embodiment 2 of the present application;
图3是本申请实施例三提供的一种数据访问装置的结构示意图;3 is a schematic structural diagram of a data access device according to Embodiment 3 of the present application;
图4是本申请实施例四提供的另一种数据访问装置的结构示意图;4 is a schematic structural diagram of another data access device according to Embodiment 4 of the present application;
图5是本申请实施例五提供的移动终端的示意图。5 is a schematic diagram of a mobile terminal provided in Embodiment 5 of the present application.
具体实施方式detailed description
以下描述中,为了说明而不是为了限定,提出了诸如特定系统结构、技术之类的具体细节,以便透彻理解本申请实施例。然而,本领域的技术人员应当清楚,在没有这些具体细节的其它实施例中也可以实现本申请。在其它情况中,省略对众所周知的系统、装置、电路以及方法的详细说明,以免不必要的细节妨碍本申请的描述。In the following description, for the purpose of illustration rather than limitation, specific details such as specific system structure and technology are proposed to thoroughly understand the embodiments of the present application. However, those skilled in the art should understand that the present application can also be implemented in other embodiments without these specific details. In other cases, detailed descriptions of well-known systems, devices, circuits, and methods are omitted to avoid unnecessary details hindering the description of the present application.
为了说明本申请上述的技术方案,下面通过具体实施例来进行说明。In order to explain the above technical solutions of the present application, the following will be described by specific embodiments.
实施例一:Example one:
下面对本申请实施例提供的一种数据访问方法进行描述,请参阅图1,本申请实施例中的数据访问方法包括:The following describes a data access method provided by an embodiment of the present application. Referring to FIG. 1, the data access method in the embodiment of the present application includes:
步骤S11,接收数据访问请求,所述数据访问请求包括第一元数据以及加密后的访问令牌,所述访问令牌包括第二元数据;Step S11: Receive a data access request, where the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
本实施例中,若客户端在访问不需要注册登录账户但需要传输私密内容的场景,比如通过数字信封的方式传输,则发送数据访问请求至服务方,发送的数据访问请求包括加密后的访问令牌,客户端根据第二元数据构造出所述访问令牌。在一些实施例中,第二元数据根据第一元数据构造,当第一元数据有多个时,第二元数据可根据部分或全部的第一元数据构造。在一些实施例中,第 一元数据可以为明文对应的元数据,也可以为密文对应的元数据,该第一元数据可选择通过明文传输。In this embodiment, if the client accesses a scenario that does not require a login account but needs to transmit private content, such as transmission through a digital envelope, a data access request is sent to the server, and the sent data access request includes the encrypted access Token, the client constructs the access token according to the second metadata. In some embodiments, the second metadata is constructed based on the first metadata. When there are multiple first metadata, the second metadata may be constructed based on part or all of the first metadata. In some embodiments, the first metadata may be metadata corresponding to plain text or metadata corresponding to cipher text, and the first metadata may be selected to be transmitted in plain text.
在一些实施例中,数据访问请求包括用于加密访问令牌的密钥。本实施例中,为了提高传输的访问令牌的安全性,该访问令牌在传输之前需要进行加密,比如,采用对称加密算法进行加密,In some embodiments, the data access request includes a key used to encrypt the access token. In this embodiment, in order to improve the security of the transmitted access token, the access token needs to be encrypted before transmission, for example, using a symmetric encryption algorithm to encrypt,
步骤S12,解密所述加密后的访问令牌;Step S12, decrypt the encrypted access token;
本实施例中,服务方根据预先与客户端协商的协议解密接收到的数据访问请求包括的访问令牌。在预设的与客户端协商的协议中,设定了用于解密访问令牌的解密算法。在一些实施例中,若数据访问请求包括用于加密访问令牌的密钥,则服务方根据预设的与客户端协商的协议中的解密算法以及该密钥解密该加密后的访问令牌。In this embodiment, the server decrypts the access token included in the received data access request according to a protocol negotiated with the client in advance. In the preset protocol negotiated with the client, a decryption algorithm for decrypting the access token is set. In some embodiments, if the data access request includes a key for encrypting the access token, the server decrypts the encrypted access token according to the decryption algorithm in the protocol negotiated with the client and the key .
步骤S13,若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据;Step S13: If the encrypted access token is successfully decrypted, obtain the second metadata included in the access token;
本实施例中,若解密算法与密钥匹配,则能够成功解密出加密后的访问令牌。In this embodiment, if the decryption algorithm matches the key, the encrypted access token can be successfully decrypted.
步骤S14,根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。Step S14: Select whether to respond to the data access request according to the second metadata and the first metadata.
该步骤中,若第二元数据与第一元数据包括相同属性的信息,比如,若第二元数据与第一元数据都包括一个校验值,则通过比较校验值是否相同来选择是否响应该数据访问请求,若校验值相同,则响应所述数据访问请求,比如向客户端反馈该数据访问请求对应的数据。反之,则不响应所述数据访问请求。In this step, if the second metadata and the first metadata include information of the same attribute, for example, if both the second metadata and the first metadata include a check value, then select whether the check value is the same In response to the data access request, if the verification values are the same, it responds to the data access request, such as feeding back data corresponding to the data access request to the client. Otherwise, it does not respond to the data access request.
本申请实施例中,接收到包括第一元数据以及加密后的访问令牌的数据访问请求后,解密所述加密后的访问令牌,若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据,根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。由于数据访问请求包括加密后的访问令牌,因此,服务方只有在解密出访问令牌以及在比对第二元数据与第一元数据后才会选择是否响应接收的数据访问请求,即由于增加了一个选择过程,从而在不需要客户端密钥的情况下也能保证客户端私密信息的安全性。In the embodiment of the present application, after receiving the data access request including the first metadata and the encrypted access token, the encrypted access token is decrypted. If the encrypted access token is successfully decrypted, the The second metadata included in the access token selects whether to respond to the data access request according to the second metadata and the first metadata. Since the data access request includes the encrypted access token, the server only chooses whether to respond to the received data access request after decrypting the access token and comparing the second metadata with the first metadata, that is, because A selection process is added to ensure the security of the client ’s private information without requiring the client ’s key.
实施例二:Example 2:
为了增强用于加密访问令牌的密钥的传输安全性,则在传输该用于加密访问令牌的密钥之前,采用公钥加密该用于加密访问令牌的密钥,具体如图2所示:In order to enhance the transmission security of the key used to encrypt the access token, before transmitting the key used to encrypt the access token, the public key is used to encrypt the key used to encrypt the access token, as shown in Figure 2 As shown:
步骤S21,接收数据访问请求,所述数据访问请求包括第一元数据、加密后的访问令牌以及采用公钥加密所述用于加密所述访问令牌的密钥,所述访问令牌包括第二元数据;Step S21: Receive a data access request, where the data access request includes first metadata, an encrypted access token, and a public key to encrypt the key used to encrypt the access token. The access token includes Second metadata
步骤S22,采用预设的私钥解密所述采用公钥加密后的所述用于加密所述访问令牌的密钥;Step S22, using a preset private key to decrypt the key used to encrypt the access token after being encrypted using the public key;
具体地,在预设的与客户端协商的协议中,设定了用于解密访问令牌的解密算法以及用于解密加密后的用于加密所述访问令牌的密钥的私钥。服务方根据该私钥解密经过公钥加密后的用于加密访问令牌的密钥。若客户端的公钥是正确的,则服务方根据预设的私钥能够解密出用于加密访问令牌的密钥。Specifically, in a preset protocol negotiated with the client, a decryption algorithm used to decrypt the access token and a private key used to decrypt the encrypted key used to encrypt the access token are set. The server decrypts the key used to encrypt the access token after being encrypted by the public key according to the private key. If the client's public key is correct, the server can decrypt the key used to encrypt the access token based on the preset private key.
步骤S23,若解密出用于加密所述访问令牌的密钥,根据解密出的密钥解密所述加密后的访问令牌。In step S23, if the key used to encrypt the access token is decrypted, the encrypted access token is decrypted according to the decrypted key.
步骤S24,若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据;Step S24: If the encrypted access token is successfully decrypted, obtain the second metadata included in the access token;
步骤S25,根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。Step S25: Select whether to respond to the data access request according to the second metadata and the first metadata.
其中,步骤S24、步骤S25与实施例一的步骤S13、步骤S14相同,此次不再赘述。Among them, step S24 and step S25 are the same as step S13 and step S14 of the first embodiment, and will not be repeated here.
在一些实施例中,为了提高解密出密钥的成功率,则若没有解密出用于加密所述访问令牌的密钥,获取系统中最新的公钥私钥对,并将所述公钥私钥对中的公钥返回至客户端。需要指出的是,这里的客户端是指服务方记录的合法的客户端,其不一定为发送当前的数据访问请求的客户端,这样能够避免将公钥发送给非法的客户端。In some embodiments, in order to improve the success rate of decrypting the key, if the key used to encrypt the access token is not decrypted, the latest public key private key pair in the system is obtained, and the public key The public key in the private key pair is returned to the client. It should be pointed out that the client here refers to a legitimate client recorded by the server, which is not necessarily the client that sends the current data access request, so as to avoid sending the public key to the illegal client.
在一些实施例中,所述第二元数据包括第二明文校验值,则所述步骤S13(或步骤S24)具体为:In some embodiments, the second metadata includes a second clear text check value, then the step S13 (or step S24) is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二明文校验值;If the encrypted access token is successfully decrypted, obtain the second clear text check value included in the access token;
对应地,所述步骤S14(或步骤S25)具体为:Correspondingly, the step S14 (or step S25) is specifically:
将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, responding to the data In the access request, if the second clear text check value is different from the first clear text check value, the data access request is identified as illegal access.
其中,第一明文校验值可直接在第一元数据中,即通过发送第一元数据实现第一明文校验值的发送;此外,第一明文校验值也可通过后续的计算确定,比如,在第一元数据仅包括明文元数据时,当服务方接收到该明文元数据后,根据该明文元数据计算第一元数据对应的第一明文校验值。The first clear text check value can be directly in the first metadata, that is, the first clear text check value can be sent by sending the first metadata; in addition, the first clear text check value can also be determined by subsequent calculations For example, when the first metadata includes only plaintext metadata, after receiving the plaintext metadata, the server calculates the first plaintext check value corresponding to the first metadata according to the plaintext metadata.
在一些实施例中,第二元数据包括第二终端标识,则所述步骤S13(或步骤S24)具体为:In some embodiments, the second metadata includes the second terminal identifier, then the step S13 (or step S24) is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的终端标识;If the encrypted access token is successfully decrypted, obtain the terminal identification included in the access token;
对应地,所述数据访问方法还包括:Correspondingly, the data access method further includes:
判断所述终端标识是否为合法的终端标识,并在所述终端标识为非法的终端标识时,标识所述数据访问请求为非法访问。具体地,获取发送数据访问请求的客户端对应的终端标识,若获取的客户端对应的终端标识与从访问令牌获取的终端标识相同,则判定所述终端标识为合法的终端标识,否则,判定所述终端标识为非法的终端标识。或者,服务方预先存储合法的终端标识,若从访问令牌获取的终端标识与存储的任一个终端标识相同,则判定所述终端标识为合法的终端标识,否则,判定所述终端标识为非法的终端标识。Judging whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identifying the data access request as illegal access. Specifically, the terminal identifier corresponding to the client that sends the data access request is obtained. If the terminal identifier corresponding to the obtained client is the same as the terminal identifier obtained from the access token, it is determined that the terminal identifier is a legal terminal identifier, otherwise, It is determined that the terminal identification is an illegal terminal identification. Or, the server pre-stores a legal terminal ID, if the terminal ID obtained from the access token is the same as any stored terminal ID, the terminal ID is determined to be a legal terminal ID, otherwise, the terminal ID is determined to be illegal Terminal identification.
若所述终端标识为合法的终端标识,则进一步将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。通过终 端标识与明文校验值一起判断是否响应数据访问请求,能够进一步提高判断结果的准确性,从而能够保证客户端隐私数据的安全性。If the terminal identifier is a legal terminal identifier, the second plaintext check value is further compared with the first plaintext check value corresponding to the first metadata, and if the second plain text check value is The first clear text verification value is the same, and in response to the data access request, if the second clear text verification value is different from the first clear text verification value, the data access request is identified as illegal access. Judging whether to respond to the data access request by the terminal identification and the clear text verification value can further improve the accuracy of the judgment result, and thus can ensure the security of the client's private data.
为了进一步提高隐私信息的安全性,在一些实施例中,在验证终端标识为合法的终端标识后,验证所述终端标识对应的客户端的访问频率是否合法,若不合法,对本次数据访问请求对应的访问限流,若合法,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。In order to further improve the security of private information, in some embodiments, after verifying that the terminal identification is a legal terminal identification, it is verified whether the frequency of client access corresponding to the terminal identification is legal. The corresponding access current limit, if legal, compares the second clear text check value with the first clear text check value corresponding to the first metadata, if the second clear text check value is equal to the first clear text The verification value is the same, and in response to the data access request, if the second plaintext verification value is different from the first plaintext verification value, the data access request is identified as illegal access.
在一些实施例中,所述第二元数据还包括第二密文校验值,所述数据访问请求包括主体密文,则所述步骤S13(或步骤S24)具体为:In some embodiments, the second metadata further includes a second ciphertext verification value, and the data access request includes the subject ciphertext, then the step S13 (or step S24) is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second ciphertext verification value included in the access token;
该步骤中,解密出访问令牌之后,除了获取第二密文校验值,还可以获取第二明文校验值。In this step, after decrypting the access token, in addition to acquiring the second cipher text verification value, the second clear text verification value may also be acquired.
对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, if the The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
若所述第二明文校验值与所述第一明文校验值不同,则标识所述数据访问请求为非法访问。If the second clear text check value is different from the first clear text check value, the data access request is identified as illegal access.
当然,若所述第二元数据包括第二明文校验值、第二密文校验值以及终端标识,则所述步骤S13(或步骤S24)具体为:Of course, if the second metadata includes a second clear text check value, a second cipher text check value, and a terminal identifier, then step S13 (or step S24) is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二明文校验值、第二密文校验值以及终端标识;If the encrypted access token is successfully decrypted, obtain the second clear text verification value, the second cipher text verification value, and the terminal identification included in the access token;
在该步骤之后,执行以下步骤:判断所述终端标识是否为合法的终端标识;After this step, the following steps are performed: judging whether the terminal identification is a legal terminal identification;
若所述终端标识为合法的终端标识,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the terminal identifier is a legal terminal identifier, compare the second plain text check value with the first plain text check value corresponding to the first metadata, and if the second plain text check value is equal to the first A plaintext check value is the same, compare the first ciphertext check value corresponding to the subject ciphertext with the second ciphertext check value, if the first ciphertext check value is equal to the second ciphertext The text verification value is the same and responds to the data access request.
为了提高抵抗重放攻击的鲁棒性,可设置访问令牌的有效时间,该有效时间通过第二时间戳体现。此时,所述第二元数据包括第二时间戳,则所述步骤S13(或步骤S24)具体为:In order to improve the robustness against replay attacks, the validity time of the access token can be set, and the validity time is reflected by the second time stamp. At this time, the second metadata includes a second time stamp, and the step S13 (or step S24) is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳;If the encrypted access token is successfully decrypted, obtain the second time stamp included in the access token;
对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述 第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to The preset time difference value responds to the data access request.
在一些实施例中,所述数据访问方法还包括:In some embodiments, the data access method further includes:
若所述第二时间戳与所述第一时间戳的差值大于所述预设时间差值,对所述数据访问请求执行限流操作。If the difference between the second time stamp and the first time stamp is greater than the preset time difference, a current limiting operation is performed on the data access request.
在一些实施例中,所述第二元数据还包括第二时间戳和第二密文校验值,所述数据访问请求包括主体密文,则所述步骤S13(或步骤S24)具体为:In some embodiments, the second metadata further includes a second timestamp and a second ciphertext verification value, and the data access request includes the subject ciphertext, then the step S13 (or step S24) is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳和第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second time stamp and the second ciphertext verification value included in the access token;
对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to Preset a time difference, compare the first ciphertext check value corresponding to the subject ciphertext with the second ciphertext check value, if the first ciphertext check value and the second ciphertext The verification value is the same and responds to the data access request.
在一些实施例中,若所述第二元数据包括:终端标识、第二时间戳、第二明文校验值和第二密文校验值,所述数据访问请求包括主体密文,则所述步骤S13(或步骤S24)具体为:In some embodiments, if the second metadata includes: a terminal identifier, a second time stamp, a second clear text check value, and a second cipher text check value, and the data access request includes the subject cipher text, then The step S13 (or step S24) is specifically as follows:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的终端标识、第二时间戳、第二明文校验值和第二密文校验值;If the encrypted access token is successfully decrypted, obtain the terminal identifier, second time stamp, second clear text check value, and second cipher text check value included in the access token;
在该步骤之后,执行以下步骤:判断所述终端标识是否为合法的终端标识;After this step, the following steps are performed: judging whether the terminal identification is a legal terminal identification;
若所述终端标识为合法的终端标识,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the terminal identification is a legal terminal identification, obtain the first time stamp of the service party itself, and if the difference between the second time stamp and the first time stamp is less than or equal to a preset time difference, the The second clear text check value is compared with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, the subject cipher text is mapped Compares the first ciphertext verification value with the second ciphertext verification value, and responds to the data access request if the first ciphertext verification value is the same as the second ciphertext verification value.
在一些实施例中,若所述第二元数据包括:终端标识、第二时间戳、第二明文校验值和第二密文校验值,所述数据访问请求包括主体密文,则所述步骤S13(或步骤S24)具体为:In some embodiments, if the second metadata includes: a terminal identifier, a second time stamp, a second clear text check value, and a second cipher text check value, and the data access request includes the subject cipher text, then The step S13 (or step S24) is specifically as follows:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的终端标识、第二时间戳、第二明文校验值和第二密文校验值;If the encrypted access token is successfully decrypted, obtain the terminal identifier, second time stamp, second clear text check value, and second cipher text check value included in the access token;
在该步骤之后,执行以下步骤:判断所述终端标识是否为合法的终端标识;After this step, the following steps are performed: judging whether the terminal identification is a legal terminal identification;
若所述终端标识为合法的终端标识,验证所述终端标识对应的客户端的访问频率是否合法,若所述终端标识对应的客户端的访问频率合法,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的 第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the terminal ID is a legal terminal ID, verify whether the client's access frequency corresponding to the terminal ID is legal, and if the client's access frequency corresponding to the terminal ID is legal, obtain the first time stamp of the server itself. The difference between the second time stamp and the first time stamp is less than or equal to a preset time difference, and the second clear text check value is compared with the first clear text check value corresponding to the first metadata, If the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, if the The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
应理解,上述实施例中各步骤的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that the size of the sequence numbers of the steps in the above embodiments does not mean the order of execution, and the execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
实施例三Example Three
与上述实施例一对应,本申请实施例三提供了一种数据访问装置,上述数据访问装置可集成于移动终端中,如图3所示,本申请实施例中的数据访问装置3包括:Corresponding to the first embodiment, the third embodiment of the present application provides a data access device. The above data access device may be integrated into a mobile terminal. As shown in FIG. 3, the data access device 3 in the embodiment of the present application includes:
数据访问请求接收单元31,用于接收数据访问请求,所述数据访问请求包括第一元数据以及加密后的访问令牌,所述访问令牌包括第二元数据;The data access request receiving unit 31 is configured to receive a data access request, where the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
在一些实施例中,第二元数据根据第一元数据构造,当第一元数据有多个时,第二元数据可根据部分或全部的第一元数据构造。在一些实施例中,第一元数据可以为明文对应的元数据,也可以为密文对应的元数据,该第一元数据可选择通过明文传输。In some embodiments, the second metadata is constructed based on the first metadata. When there are multiple first metadata, the second metadata may be constructed based on part or all of the first metadata. In some embodiments, the first metadata may be metadata corresponding to plain text or metadata corresponding to cipher text, and the first metadata may optionally be transmitted in plain text.
在一些实施例中,数据访问请求包括用于加密访问令牌的密钥。In some embodiments, the data access request includes a key used to encrypt the access token.
访问令牌解密单元32,用于解密所述加密后的访问令牌;The access token decryption unit 32 is used to decrypt the encrypted access token;
第二元数据获取单元33,用于若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据;The second metadata obtaining unit 33 is configured to obtain the second metadata included in the access token if the encrypted access token is successfully decrypted;
数据访问请求选择响应单元34,用于根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。The data access request selection response unit 34 is configured to select whether to respond to the data access request based on the second metadata and the first metadata.
本申请实施例中,由于数据访问请求包括加密后的访问令牌,因此,服务方只有在解密出访问令牌以及在比对第二元数据与第一元数据后才会选择是否响应接收的数据访问请求,即由于增加了一个选择过程,从而在不需要客户端密钥的情况下也能保证客户端私密信息的安全性。In the embodiment of the present application, since the data access request includes the encrypted access token, the server will only choose whether to respond to the received after decrypting the access token and comparing the second metadata with the first metadata The data access request, that is, due to the addition of a selection process, can ensure the security of the client's private information without requiring the client's key.
实施例四Example 4
与上述实施例二对应,本申请实施例四提供了另一种数据访问装置,上述数据访问装置可集成于移动终端中,如图4所示,本申请实施例中的数据访问装置4包括:Corresponding to the second embodiment, the fourth embodiment of the present application provides another data access device. The above data access device may be integrated into a mobile terminal. As shown in FIG. 4, the data access device 4 in the embodiment of the present application includes:
数据访问请求接收单元41,用于接收数据访问请求,所述数据访问请求包括第一元数据、加密后的访问令牌以及采用公钥加密所述用于加密所述访问令牌的密钥,所述访问令牌包括第二元数据;The data access request receiving unit 41 is configured to receive a data access request including first metadata, an encrypted access token, and a public key to encrypt the key used to encrypt the access token, The access token includes second metadata;
密钥解密单元42,用于采用预设的私钥解密所述采用公钥加密后的所述用于加密所述访问令牌的密钥;The key decryption unit 42 is used to decrypt the key used to encrypt the access token after being encrypted using the public key by using a preset private key;
访问令牌解密单元43,用于若解密出用于加密所述访问令牌的密钥,根据解密出的密钥解密所述加密后的访问令牌。The access token decrypting unit 43 is configured to decrypt the encrypted access token according to the decrypted key if the key used to encrypt the access token is decrypted.
第二元数据获取单元44,用于若成功解密所述加密后的访问令牌,获取所述访问令牌包括的 第二元数据;The second metadata obtaining unit 44 is configured to obtain second metadata included in the access token if the encrypted access token is successfully decrypted;
数据访问请求选择响应单元45,用于根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。The data access request selection response unit 45 is configured to select whether to respond to the data access request based on the second metadata and the first metadata.
在一些实施例中,为了提高解密出密钥的成功率,数据访问装置4还包括:In some embodiments, in order to increase the success rate of decrypting the key, the data access device 4 further includes:
公钥发送单元,用于若没有解密出用于加密所述访问令牌的密钥,获取系统中最新的公钥私钥对,并将所述公钥私钥对中的公钥返回至客户端。The public key sending unit is used to obtain the latest public key private key pair in the system if the key used to encrypt the access token is not decrypted, and return the public key in the public key private key pair to the customer end.
需要指出的是,这里的客户端是指服务方记录的合法的客户端,其不一定为发送当前的数据访问请求的客户端,这样能够避免将公钥发送给非法的客户端。It should be pointed out that the client here refers to a legitimate client recorded by the server, which is not necessarily the client that sends the current data access request, so as to avoid sending the public key to the illegal client.
在一些实施例中,所述第二元数据包括第二明文校验值,则所述第二元数据获取单元44具体用于:In some embodiments, the second metadata includes a second clear text check value, then the second metadata acquisition unit 44 is specifically configured to:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二明文校验值;If the encrypted access token is successfully decrypted, obtain the second clear text check value included in the access token;
对应地,所述数据访问请求选择响应单元45具体用于:Correspondingly, the data access request selection response unit 45 is specifically used for:
将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, responding to the data In the access request, if the second clear text check value is different from the first clear text check value, the data access request is identified as illegal access.
在一些实施例中,第二元数据包括第二终端标识,则所述第二元数据获取单元44具体用于:In some embodiments, the second metadata includes the second terminal identification, and the second metadata acquisition unit 44 is specifically configured to:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的终端标识;If the encrypted access token is successfully decrypted, obtain the terminal identification included in the access token;
对应地,所述数据访问装置4还包括:Correspondingly, the data access device 4 further includes:
终端标识是否合法判断单元,用于判断所述终端标识是否为合法的终端标识,并在所述终端标识为非法的终端标识时,标识所述数据访问请求为非法访问。The terminal identifier is a legal judgment unit, which is used to judge whether the terminal identifier is a legal terminal identifier, and mark the data access request as illegal access when the terminal identifier is an illegal terminal identifier.
若所述终端标识为合法的终端标识,则执行所述数据访问请求选择响应单元45,所述数据访问请求选择响应单元45具体用于:If the terminal identifier is a legal terminal identifier, the data access request selection response unit 45 is executed, and the data access request selection response unit 45 is specifically used to:
将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, responding to the data In the access request, if the second clear text check value is different from the first clear text check value, the data access request is identified as illegal access.
为了进一步提高隐私信息的安全性,在一些实施例中,所述数据访问装置4还包括:访问频率合法性判断单元,用于在验证终端标识为合法的终端标识后,验证所述终端标识对应的客户端的访问频率是否合法,若不合法,对本次数据访问请求对应的访问限流。若合法,则执行所述数据访问请求选择响应单元45,所述数据访问请求选择响应单元45具体用于:In order to further improve the security of private information, in some embodiments, the data access device 4 further includes: an access frequency legality judgment unit, configured to verify that the terminal ID corresponds to the terminal ID after verifying that the terminal ID is a legal terminal ID Whether the access frequency of the client is legal, and if not, the access limit corresponding to this data access request is limited. If it is legal, the data access request selection response unit 45 is executed, and the data access request selection response unit 45 is specifically used to:
将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, responding to the data In the access request, if the second clear text check value is different from the first clear text check value, the data access request is identified as illegal access.
在一些实施例中,所述第二元数据还包括第二密文校验值,所述数据访问请求包括主体密文,则所述第二元数据获取单元44具体用于:In some embodiments, the second metadata further includes a second ciphertext verification value, and the data access request includes the subject ciphertext, and the second metadata acquisition unit 44 is specifically configured to:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second ciphertext verification value included in the access token;
对应地,所述数据访问请求选择响应单元45具体用于:Correspondingly, the data access request selection response unit 45 is specifically used for:
将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, the subject The first ciphertext check value corresponding to the ciphertext is compared with the second ciphertext check value, and if the first ciphertext check value is the same as the second ciphertext check value, respond to the data access request.
若所述第二明文校验值与所述第一明文校验值不同,则标识所述数据访问请求为非法访问。If the second clear text check value is different from the first clear text check value, the data access request is identified as illegal access.
当然,若所述第二元数据包括第二明文校验值、第二密文校验值以及终端标识,则所述第二元数据获取单元44具体用于:Of course, if the second metadata includes a second clear text check value, a second cipher text check value, and a terminal identifier, the second metadata obtaining unit 44 is specifically configured to:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二明文校验值、第二密文校验值以及终端标识;If the encrypted access token is successfully decrypted, obtain the second clear text verification value, the second cipher text verification value, and the terminal identification included in the access token;
此时,所述数据访问装置4还包括:At this time, the data access device 4 further includes:
终端标识是否合法判断单元,用于判断所述终端标识是否为合法的终端标识,并在所述终端标识为非法的终端标识时,标识所述数据访问请求为非法访问;Whether the terminal identification is legal judgment unit is used to determine whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identify the data access request as illegal access;
对应地,所述数据访问请求选择响应单元45具体用于:若所述终端标识为合法的终端标识,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。Correspondingly, the data access request selection response unit 45 is specifically configured to: if the terminal identification is a legal terminal identification, verify the second clear text check value and the first clear text check corresponding to the first metadata Value comparison, if the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, If the first ciphertext verification value is the same as the second ciphertext verification value, respond to the data access request.
为了提高抵抗重放攻击的鲁棒性,可设置访问令牌的有效时间,该有效时间通过第二时间戳体现。此时,所述第二元数据包括第二时间戳,则所述第二元数据获取单元44具体用于:In order to improve the robustness against replay attacks, the validity time of the access token can be set, and the validity time is reflected by the second time stamp. At this time, the second metadata includes a second timestamp, and the second metadata acquisition unit 44 is specifically configured to:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳;If the encrypted access token is successfully decrypted, obtain the second time stamp included in the access token;
对应地,所述数据访问请求选择响应单元45具体用于:Correspondingly, the data access request selection response unit 45 is specifically used for:
将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,响应所述数据访问请求。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, the server itself is obtained The first timestamp, if the difference between the second timestamp and the first timestamp is less than or equal to a preset time difference, respond to the data access request.
在一些实施例中,所述数据访问装置4还包括:In some embodiments, the data access device 4 further includes:
限流操作执行单元,用于若所述第二时间戳与所述第一时间戳的差值大于所述预设时间差值,对所述数据访问请求执行限流操作。The current limiting operation execution unit is configured to perform a current limiting operation on the data access request if the difference between the second time stamp and the first time stamp is greater than the preset time difference.
在一些实施例中,所述第二元数据还包括第二时间戳和第二密文校验值,所述数据访问请求包括主体密文,则所述第二元数据获取单元44具体用于:In some embodiments, the second metadata further includes a second timestamp and a second ciphertext verification value, and the data access request includes the subject ciphertext, then the second metadata acquisition unit 44 is specifically configured to :
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳和第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second time stamp and the second ciphertext verification value included in the access token;
对应地,所述数据访问请求选择响应单元45具体用于:Correspondingly, the data access request selection response unit 45 is specifically used for:
将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, the server itself is obtained The first timestamp, if the difference between the second timestamp and the first timestamp is less than or equal to a preset time difference, the first ciphertext check value corresponding to the subject ciphertext is The second ciphertext verification value is compared, and if the first ciphertext verification value is the same as the second ciphertext verification value, respond to the data access request.
在一些实施例中,若所述第二元数据包括:终端标识、第二时间戳、第二明文校验值和第二密文校验值,所述数据访问请求包括主体密文,则所述第二元数据获取单元44具体用于:In some embodiments, if the second metadata includes: a terminal identifier, a second time stamp, a second clear text check value, and a second cipher text check value, and the data access request includes the subject cipher text, then The second metadata acquisition unit 44 is specifically used to:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的终端标识、第二时间戳、第二明文校验值和第二密文校验值;If the encrypted access token is successfully decrypted, obtain the terminal identifier, second time stamp, second clear text check value, and second cipher text check value included in the access token;
此时,所述数据访问装置4还包括:At this time, the data access device 4 further includes:
终端标识是否合法判断单元,用于判断所述终端标识是否为合法的终端标识,并在所述终端标识为非法的终端标识时,标识所述数据访问请求为非法访问;Whether the terminal identification is legal judgment unit is used to determine whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identify the data access request as illegal access;
所述数据访问请求选择响应单元45具体用于:若所述终端标识为合法的终端标识,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。The data access request selection response unit 45 is specifically configured to: if the terminal identification is a legal terminal identification, acquire the first time stamp of the service party itself, and if the difference between the second time stamp and the first time stamp is If the value is less than or equal to the preset time difference, compare the second clear text check value with the first clear text check value corresponding to the first metadata, if the second clear text check value is equal to the first The plain text check value is the same, and the first cipher text check value corresponding to the subject cipher text is compared with the second cipher text check value, if the first cipher text check value is the second cipher text The verification value is the same and responds to the data access request.
在一些实施例中,若所述第二元数据包括:终端标识、第二时间戳、第二明文校验值和第二密文校验值,所述数据访问请求包括主体密文,则所述第二元数据获取单元44具体用于:In some embodiments, if the second metadata includes: a terminal identifier, a second time stamp, a second clear text check value, and a second cipher text check value, and the data access request includes the subject cipher text, then The second metadata acquisition unit 44 is specifically used to:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的终端标识、第二时间戳、第二明文校验值和第二密文校验值;If the encrypted access token is successfully decrypted, obtain the terminal identifier, second time stamp, second clear text check value, and second cipher text check value included in the access token;
此时,所述数据访问装置4还包括:At this time, the data access device 4 further includes:
终端标识是否合法判断单元,用于判断所述终端标识是否为合法的终端标识,并在所述终端标识为非法的终端标识时,标识所述数据访问请求为非法访问;Whether the terminal identification is legal judgment unit is used to determine whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identify the data access request as illegal access;
对应地,所述数据访问请求选择响应单元45具体用于:Correspondingly, the data access request selection response unit 45 is specifically used for:
若所述终端标识为合法的终端标识,验证所述终端标识对应的客户端的访问频率是否合法,若所述终端标识对应的客户端的访问频率合法,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the terminal ID is a legal terminal ID, verify whether the client's access frequency corresponding to the terminal ID is legal, and if the client's access frequency corresponding to the terminal ID is legal, obtain the first time stamp of the server itself. The difference between the second time stamp and the first time stamp is less than or equal to a preset time difference, and the second clear text check value is compared with the first clear text check value corresponding to the first metadata, If the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, if the The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
实施例五Example 5
本申请实施例提供了一种移动终端,请参阅图5,本申请实施例中的移动终端包括:存储器501,一个或多个处理器502(图5中仅示出一个)及存储在存储器501上并可在处理器上运行的计算机程序。其中:存储器501用于存储软件程序以及模块,处理器502通过运行存储在存储器501的软件程序以及单元,从而执行各种功能应用以及数据处理,以获取上述预设事件对应的资源。具体地,处理器502通过运行存储在存储器501的上述计算机程序时实现以下步骤:An embodiment of the present application provides a mobile terminal, please refer to FIG. 5, the mobile terminal in the embodiment of the present application includes: a memory 501, one or more processors 502 (only one is shown in FIG. 5) and stored in the memory 501 A computer program that can be run on a processor. The memory 501 is used to store software programs and modules. The processor 502 executes various functional applications and data processing by running the software programs and units stored in the memory 501 to obtain resources corresponding to the preset events. Specifically, the processor 502 implements the following steps by running the above computer program stored in the memory 501:
接收数据访问请求,所述数据访问请求包括第一元数据以及加密后的访问令牌,所述访问令牌包括第二元数据;Receiving a data access request, the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
解密所述加密后的访问令牌;Decrypt the encrypted access token;
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据;If the encrypted access token is successfully decrypted, obtain the second metadata included in the access token;
根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。Select whether to respond to the data access request according to the second metadata and the first metadata.
假设上述为第一种可能的实施方式,则在第一种可能的实施方式作为基础而提供的第二种可能的实施方式中,所述数据访问请求还包括采用公钥加密后的用于加密所述访问令牌的密钥;Assuming that the above is the first possible implementation manner, in the second possible implementation manner provided on the basis of the first possible implementation manner, the data access request further includes a public key for encryption The key of the access token;
对应地,所述解密所述加密后的访问令牌包括:Correspondingly, the decrypting the encrypted access token includes:
采用预设的私钥解密所述采用公钥加密后的所述用于加密所述访问令牌的密钥;Using a preset private key to decrypt the key used to encrypt the access token after being encrypted using the public key;
若解密出用于加密所述访问令牌的密钥,根据解密出的密钥解密所述加密后的访问令牌。If the key used to encrypt the access token is decrypted, the encrypted access token is decrypted according to the decrypted key.
在上述第二种可能的实施方式作为基础而提供的第三种可能的实施方式中,处理器502通过运行存储在存储器501的上述计算机程序时还实现以下步骤:In a third possible implementation manner provided as the basis of the above-mentioned second possible implementation manner, the processor 502 further implements the following steps when running the above-mentioned computer program stored in the memory 501:
若没有解密出用于加密所述访问令牌的密钥,获取系统中最新的公钥私钥对,并将所述公钥私钥对中的公钥返回至客户端。If the key used to encrypt the access token is not decrypted, the latest public key private key pair in the system is obtained, and the public key in the public key private key pair is returned to the client.
在上述第一种可能的实施方式作为基础而提供的第四种可能的实施方式中,所述第二元数据包括第二明文校验值,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In a fourth possible implementation manner provided as the basis of the first possible implementation manner described above, the second metadata includes a second clear text check value, then if the encrypted access order is successfully decrypted Card, and obtaining the second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二明文校验值;If the encrypted access token is successfully decrypted, obtain the second clear text check value included in the access token;
对应地,所述根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求具体为:Correspondingly, the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically:
将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, responding to the data In the access request, if the second clear text check value is different from the first clear text check value, the data access request is identified as illegal access.
在上述第四种可能的实施方式作为基础而提供的第五种可能的实施方式中,所述第二元数据包括终端标识,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In a fifth possible implementation manner provided as the basis of the above fourth possible implementation manner, the second metadata includes a terminal identification, then if the encrypted access token is successfully decrypted, the The second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的终端标识;If the encrypted access token is successfully decrypted, obtain the terminal identification included in the access token;
对应地,所述数据访问方法还包括:Correspondingly, the data access method further includes:
判断所述终端标识是否为合法的终端标识,并在所述终端标识为非法的终端标识时,标识所述数据访问请求为非法访问。Judging whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identifying the data access request as illegal access.
在上述第五种可能的实施方式作为基础而提供的第六种可能的实施方式中,所述根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求具体为:In a sixth possible implementation manner provided as the basis of the above fifth possible implementation manner, the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically:
若所述终端标识为合法的终端标识,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。If the terminal identifier is a legal terminal identifier, compare the second plain text check value with the first plain text check value corresponding to the first metadata, and if the second plain text check value is equal to the first A clear text verification value is the same, and in response to the data access request, if the second clear text verification value is different from the first clear text verification value, the data access request is identified as illegal access.
在上述第四种可能的实施方式作为基础而提供的第七种可能的实施方式中,所述第二元数据还包括第二密文校验值,所述数据访问请求包括主体密文,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In a seventh possible implementation manner provided as the basis of the above fourth possible implementation manner, the second metadata also includes a second ciphertext verification value, and the data access request includes the subject ciphertext, then If the encrypted access token is successfully decrypted, obtaining the second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second ciphertext verification value included in the access token;
对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, if the The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
在上述第四种可能的实施方式作为基础而提供的第八种可能的实施方式中,所述第二元数据还包括第二时间戳,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In an eighth possible embodiment provided as the basis of the fourth possible embodiment above, the second metadata further includes a second timestamp, if the encrypted access token is successfully decrypted , Obtaining the second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳;If the encrypted access token is successfully decrypted, obtain the second time stamp included in the access token;
对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to The preset time difference value responds to the data access request.
在上述第八种可能的实施方式作为基础而提供的第九种可能的实施方式中,处理器502通过运行存储在存储器501的上述计算机程序时还实现以下步骤:In the ninth possible implementation manner provided as the basis of the eighth possible implementation manner described above, the processor 502 further implements the following steps when running the above computer program stored in the memory 501:
若所述第二时间戳与所述第一时间戳的差值大于所述预设时间差值,对所述数据访问请求执行限流操作。If the difference between the second time stamp and the first time stamp is greater than the preset time difference, a current limiting operation is performed on the data access request.
在上述第四种可能的实施方式作为基础而提供的第十种可能的实施方式中,所述第二元数据还包括第二时间戳和第二密文校验值,所述数据访问请求包括主体密文,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:In the tenth possible implementation manner provided as the basis of the above fourth possible implementation manner, the second metadata further includes a second time stamp and a second ciphertext verification value, and the data access request includes Subject ciphertext, if the encrypted access token is successfully decrypted, obtaining the second metadata included in the access token is specifically:
若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳和第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second time stamp and the second ciphertext verification value included in the access token;
对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to Preset a time difference, compare the first ciphertext check value corresponding to the subject ciphertext with the second ciphertext check value, if the first ciphertext check value and the second ciphertext The verification value is the same and responds to the data access request.
进一步,如图5所示,上述移动终端还可包括:一个或多个输入设备503(图5中仅示出一个)和一个或多个输出设备504(图5中仅示出一个)。存储器501、处理器502、输入设备503和输出设备504通过总线505连接。Further, as shown in FIG. 5, the above mobile terminal may further include: one or more input devices 503 (only one is shown in FIG. 5) and one or more output devices 504 (only one is shown in FIG. 5). The memory 501, the processor 502, the input device 503, and the output device 504 are connected through a bus 505.
应当理解,在本申请实施例中,所称处理器502可以是中央处理单元(Central Processing Unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that in the embodiment of the present application, the so-called processor 502 may be a central processing unit (Central Processing Unit, CPU), and the processor may also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP) , Application Specific Integrated Circuit (Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
输入设备503可以包括键盘、触控板、指纹采传感器(用于采集用户的指纹信息和指纹的方向信息)、麦克风等,输出设备504可以包括显示器、扬声器等。The input device 503 may include a keyboard, a touchpad, a fingerprint sensor (for collecting user's fingerprint information and fingerprint direction information), a microphone, etc., and the output device 504 may include a display, a speaker, and the like.
存储器501可以包括只读存储器和随机存取存储器,并向处理器502提供指令和数据。存储器501的一部分或全部还可以包括非易失性随机存取存储器。例如,存储器501还可以存储设备类型的信息。The memory 501 may include a read-only memory and a random access memory, and provide instructions and data to the processor 502. Part or all of the memory 501 may also include non-volatile random access memory. For example, the memory 501 may also store device type information.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,仅以上述各功能单元、模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能单元、模块完成,即将上述装置的内部结构划分成不同的功能单元或模块,以完成以上描述的全部或者部分功能。实施例中的各功能单元、模块可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中,上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。另外,各功能单元、模块的具体名称也只是为了便于相互区分,并不用于限制本申请的保护范围。上述系统中单元、模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for convenience and conciseness of description, only the above-mentioned division of each functional unit and module is used as an example for illustration. In practical applications, the above-mentioned functions may be allocated by different functional units, Module completion means that the internal structure of the above device is divided into different functional units or modules to complete all or part of the functions described above. The functional units and modules in the embodiments may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above integrated unit may use hardware It can also be implemented in the form of software functional units. In addition, the specific names of each functional unit and module are only for the purpose of distinguishing each other, and are not used to limit the protection scope of the present application. For the specific working processes of the units and modules in the above system, reference may be made to the corresponding processes in the foregoing method embodiments, which will not be repeated here.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述或记载的部分,可以参见其它实施例的相关描述。In the above embodiments, the description of each embodiment has its own emphasis. For a part that is not detailed or recorded in an embodiment, you can refer to the related descriptions of other embodiments.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者外部设备软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art may realize that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of external device software and electronic hardware. Whether these functions are executed in hardware or software depends on the specific application of the technical solution and design constraints. Professional technicians can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
在本申请所提供的实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如, 以上所描述的系统实施例仅仅是示意性的,例如,上述模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通讯连接可以是通过一些接口,装置或单元的间接耦合或通讯连接,可以是电性,机械或其它的形式。In the embodiments provided in this application, it should be understood that the disclosed device and method may be implemented in other ways. For example, the system embodiments described above are only schematic. For example, the division of the above-mentioned modules or units is only a division of logical functions. In actual implementation, there may be other divisions, for example, multiple units or components may be combined Or it can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
上述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
上述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读存储介质中。基于这样的理解,本申请实现上述实施例方法中的全部或部分流程,也可以通过计算机程序来指令相关的硬件来完成,上述的计算机程序可存储于一计算机可读存储介质中,该计算机程序在被处理器执行时,可实现上述各个方法实施例的步骤。其中,上述计算机程序包括计算机程序代码,上述计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。上述计算机可读存储介质可以包括:能够携带上述计算机程序代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机可读存储器、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、电载波信号、电信信号以及软件分发介质等。需要说明的是,上述计算机可读存储介质包含的内容可以根据司法管辖区内立法和专利实践的要求进行适当的增减,例如在某些司法管辖区,根据立法和专利实践,计算机可读存储介质不包括电载波信号和电信信号。If the above integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium. Based on this understanding, the present application can implement all or part of the processes in the methods of the above embodiments, and can also be completed by instructing relevant hardware through a computer program. The above computer program can be stored in a computer-readable storage medium, and the computer program When executed by the processor, the steps of the foregoing method embodiments may be implemented. Wherein, the above-mentioned computer program includes computer program code, and the above-mentioned computer program code may be in the form of source code, object code, executable file or some intermediate form. The above-mentioned computer-readable storage medium may include: any entity or device capable of carrying the above-mentioned computer program code, recording medium, U disk, removable hard disk, magnetic disk, optical disk, computer-readable memory, read-only memory (ROM, Read-Only Memory) ), Random Access Memory (RAM, Random Access Memory), electrical carrier signals, telecommunications signals and software distribution media, etc. It should be noted that the content contained in the above computer-readable storage medium can be appropriately increased or decreased according to the requirements of legislation and patent practice in jurisdictions. For example, in some jurisdictions, according to legislation and patent practice, computer-readable storage The medium does not include electrical carrier signals and telecommunication signals.
以上上述实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围,均应包含在本申请的保护范围之内。The above-mentioned embodiments are only used to illustrate the technical solutions of the present application, not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, persons of ordinary skill in the art should understand that they can still perform the foregoing embodiments The recorded technical solutions are modified, or some of the technical features are equivalently replaced; and these modifications or replacements do not deviate the essence of the corresponding technical solutions from the spirit and scope of the technical solutions of the embodiments of this application, and should be included in this Within the scope of protection applied for.

Claims (20)

  1. 一种数据访问方法,其特征在于,包括:A data access method, characterized in that it includes:
    接收数据访问请求,所述数据访问请求包括第一元数据以及加密后的访问令牌,所述访问令牌包括第二元数据;Receiving a data access request, the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
    解密所述加密后的访问令牌;Decrypt the encrypted access token;
    若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据;If the encrypted access token is successfully decrypted, obtain the second metadata included in the access token;
    根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。Select whether to respond to the data access request according to the second metadata and the first metadata.
  2. 如权利要求1所述的数据访问方法,其特征在于,所述数据访问请求还包括采用公钥加密后的用于加密所述访问令牌的密钥;The data access method according to claim 1, wherein the data access request further includes a key used to encrypt the access token after being encrypted using a public key;
    对应地,所述解密所述加密后的访问令牌包括:Correspondingly, the decrypting the encrypted access token includes:
    采用预设的私钥解密所述采用公钥加密后的所述用于加密所述访问令牌的密钥;Using a preset private key to decrypt the key used to encrypt the access token after being encrypted using the public key;
    若解密出用于加密所述访问令牌的密钥,根据解密出的密钥解密所述加密后的访问令牌。If the key used to encrypt the access token is decrypted, the encrypted access token is decrypted according to the decrypted key.
  3. 如权利要求2所述的数据访问方法,其特征在于,若没有解密出用于加密所述访问令牌的密钥,获取系统中最新的公钥私钥对,并将所述公钥私钥对中的公钥返回至客户端。The data access method according to claim 2, wherein if the key used to encrypt the access token is not decrypted, the latest public key private key pair in the system is obtained, and the public key private key is The public key in the pair is returned to the client.
  4. 如权利要求1所述的数据访问方法,其特征在于,所述第二元数据包括第二明文校验值,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:The data access method according to claim 1, wherein the second metadata includes a second clear text check value, and then if the encrypted access token is successfully decrypted, the access token is obtained The included second metadata is specifically:
    若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二明文校验值;If the encrypted access token is successfully decrypted, obtain the second clear text check value included in the access token;
    对应地,所述根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求具体为:Correspondingly, the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically:
    将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, responding to the data In the access request, if the second clear text check value is different from the first clear text check value, the data access request is identified as illegal access.
  5. 如权利要求4所述的数据访问方法,其特征在于,所述第二元数据包括终端标识,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:The data access method according to claim 4, wherein the second metadata includes a terminal identification, and then if the encrypted access token is successfully decrypted, the second included in the access token is acquired The metadata is specifically:
    若成功解密所述加密后的访问令牌,获取所述访问令牌包括的终端标识;If the encrypted access token is successfully decrypted, obtain the terminal identification included in the access token;
    对应地,所述数据访问方法还包括:Correspondingly, the data access method further includes:
    判断所述终端标识是否为合法的终端标识,并在所述终端标识为非法的终端标识时,标识所述数据访问请求为非法访问。Judging whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identifying the data access request as illegal access.
  6. 如权利要求5所述的数据访问方法,其特征在于,所述根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求具体为:The data access method according to claim 5, wherein the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically:
    若所述终端标识为合法的终端标识,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。If the terminal identifier is a legal terminal identifier, compare the second plain text check value with the first plain text check value corresponding to the first metadata, and if the second plain text check value is equal to the first A clear text verification value is the same, and in response to the data access request, if the second clear text verification value is different from the first clear text verification value, the data access request is identified as illegal access.
  7. 如权利要求4所述的数据访问方法,其特征在于,所述第二元数据还包括第二密文校验值,所述数据访问请求包括主体密文,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:The data access method according to claim 4, wherein the second metadata further includes a second ciphertext verification value, and the data access request includes a main body ciphertext, then the encryption is decrypted if successful After obtaining the access token, obtaining the second metadata included in the access token is specifically:
    若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second ciphertext verification value included in the access token;
    对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
    若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, if the The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
  8. 如权利要求4所述的数据访问方法,其特征在于,所述第二元数据还包括第二时间戳,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:The data access method according to claim 4, wherein the second metadata further includes a second timestamp, and then if the encrypted access token is successfully decrypted, acquiring the access token includes The second metadata is:
    若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳;If the encrypted access token is successfully decrypted, obtain the second time stamp included in the access token;
    对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
    若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to The preset time difference value responds to the data access request.
  9. 如权利要求8所述的数据访问方法,其特征在于,所述数据访问方法还包括:The data access method according to claim 8, wherein the data access method further comprises:
    若所述第二时间戳与所述第一时间戳的差值大于所述预设时间差值,对所述数据访问请求执行限流操作。If the difference between the second time stamp and the first time stamp is greater than the preset time difference, a current limiting operation is performed on the data access request.
  10. 如权利要求4所述的数据访问方法,其特征在于,所述第二元数据还包括第二时间戳和第二密文校验值,所述数据访问请求包括主体密文,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:The data access method according to claim 4, wherein the second metadata further includes a second time stamp and a second ciphertext verification value, and the data access request includes the subject ciphertext, then the Successfully decrypt the encrypted access token, and obtain the second metadata included in the access token specifically:
    若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳和第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second time stamp and the second ciphertext verification value included in the access token;
    对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
    若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to Preset a time difference, compare the first ciphertext check value corresponding to the subject ciphertext with the second ciphertext check value, if the first ciphertext check value and the second ciphertext The verification value is the same and responds to the data access request.
  11. 一种数据访问装置,其特征在于,包括:A data access device is characterized by comprising:
    第一数据访问请求接收单元,用于接收数据访问请求,所述数据访问请求包括第一元数据以及加密后的访问令牌,所述访问令牌包括第二元数据;A first data access request receiving unit, configured to receive a data access request, where the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
    访问令牌解密单元,用于解密所述加密后的访问令牌;An access token decryption unit, used to decrypt the encrypted access token;
    第二元数据获取单元,用于若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据;A second metadata acquisition unit for acquiring the second metadata included in the access token if the encrypted access token is successfully decrypted;
    数据访问请求选择响应单元,用于根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。The data access request selection response unit is configured to select whether to respond to the data access request based on the second metadata and the first metadata.
  12. 一种移动终端,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如下步骤:A mobile terminal includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, characterized in that, when the processor executes the computer program, the following steps are implemented:
    接收数据访问请求,所述数据访问请求包括第一元数据以及加密后的访问令牌,所述访问令牌包括第二元数据;Receiving a data access request, the data access request includes first metadata and an encrypted access token, and the access token includes second metadata;
    解密所述加密后的访问令牌;Decrypt the encrypted access token;
    若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据;If the encrypted access token is successfully decrypted, obtain the second metadata included in the access token;
    根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求。Select whether to respond to the data access request according to the second metadata and the first metadata.
  13. 根据权利要求12所述的移动终端,其特征在于,所述数据访问请求还包括采用公钥加密后的用于加密所述访问令牌的密钥,对应地,所述解密所述加密后的访问令牌包括:The mobile terminal according to claim 12, wherein the data access request further includes a key for encrypting the access token encrypted using a public key, and correspondingly, the decrypting the encrypted Access tokens include:
    采用预设的私钥解密所述采用公钥加密后的所述用于加密所述访问令牌的密钥;Using a preset private key to decrypt the key used to encrypt the access token after being encrypted using the public key;
    若解密出用于加密所述访问令牌的密钥,根据解密出的密钥解密所述加密后的访问令牌。If the key used to encrypt the access token is decrypted, the encrypted access token is decrypted according to the decrypted key.
  14. 根据权利要求13所述的移动终端,其特征在于,若没有解密出用于加密所述访问令牌的密钥,获取系统中最新的公钥私钥对,并将所述公钥私钥对中的公钥返回至客户端。The mobile terminal according to claim 13, wherein if the key used to encrypt the access token is not decrypted, the latest public key private key pair in the system is obtained, and the public key private key pair The public key in is returned to the client.
  15. 根据权利要求12所述的移动终端,其特征在于,所述第二元数据包括第二明文校验值,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:The mobile terminal according to claim 12, wherein the second metadata includes a second clear text check value, and then if the encrypted access token is successfully decrypted, acquiring the access token includes The second metadata is:
    若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二明文校验值;If the encrypted access token is successfully decrypted, obtain the second clear text check value included in the access token;
    对应地,所述根据所述第二元数据与所述第一元数据选择是否响应所述数据访问请求具体为:Correspondingly, the selection of whether to respond to the data access request according to the second metadata and the first metadata is specifically:
    将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。Comparing the second clear text check value with the first clear text check value corresponding to the first metadata, and if the second clear text check value is the same as the first clear text check value, responding to the data In the access request, if the second clear text check value is different from the first clear text check value, the data access request is identified as illegal access.
  16. 根据权利要求15所述的移动终端,其特征在于,所述第二元数据包括终端标识,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:The mobile terminal according to claim 15, wherein the second metadata includes a terminal identification, and then if the encrypted access token is successfully decrypted, the second element included in the access token is acquired The data is specifically:
    若成功解密所述加密后的访问令牌,获取所述访问令牌包括的终端标识;If the encrypted access token is successfully decrypted, obtain the terminal identification included in the access token;
    对应地,所述处理器执行所述计算机程序时还实现以下步骤:Correspondingly, the processor also implements the following steps when executing the computer program:
    判断所述终端标识是否为合法的终端标识,并在所述终端标识为非法的终端标识时,标识所述数据访问请求为非法访问。Judging whether the terminal identification is a legal terminal identification, and when the terminal identification is an illegal terminal identification, identifying the data access request as illegal access.
  17. 根据权利要求16所述的移动终端,其特征在于,所述根据所述第二元数据与所述第一元数 据选择是否响应所述数据访问请求具体为:The mobile terminal according to claim 16, wherein the selection of whether to respond to the data access request based on the second metadata and the first metadata specifically includes:
    若所述终端标识为合法的终端标识,将所述第二明文校验值和所述第一元数据对应的第一明文校验值比较,若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求,若所述第二明文校验值与所述第一明文校验值不同,标识所述数据访问请求为非法访问。If the terminal identifier is a legal terminal identifier, compare the second plain text check value with the first plain text check value corresponding to the first metadata, and if the second plain text check value is equal to the first A clear text verification value is the same, and in response to the data access request, if the second clear text verification value is different from the first clear text verification value, the data access request is identified as illegal access.
  18. 根据权利要求15所述的移动终端,其特征在于,所述第二元数据还包括第二密文校验值,所述数据访问请求包括主体密文,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:The mobile terminal according to claim 15, characterized in that the second metadata further includes a second ciphertext verification value, and the data access request includes a main body ciphertext, and then if the encryption is successfully decrypted To obtain the second metadata included in the access token is:
    若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二密文校验值;If the encrypted access token is successfully decrypted, obtain the second ciphertext verification value included in the access token;
    对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
    若所述第二明文校验值与所述第一明文校验值相同,将所述主体密文对应的第一密文校验值与所述第二密文校验值比较,若所述第一密文校验值与所述第二密文校验值相同,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, compare the first cipher text check value corresponding to the subject cipher text with the second cipher text check value, if the The first ciphertext verification value is the same as the second ciphertext verification value, and responds to the data access request.
  19. 根据权利要求15所述的移动终端,其特征在于,所述第二元数据还包括第二时间戳,则所述若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二元数据具体为:The mobile terminal according to claim 15, wherein the second metadata further includes a second time stamp, and then if the encrypted access token is successfully decrypted, acquiring the access token includes The second metadata is:
    若成功解密所述加密后的访问令牌,获取所述访问令牌包括的第二时间戳;If the encrypted access token is successfully decrypted, obtain the second time stamp included in the access token;
    对应地,所述若所述第二明文校验值与所述第一明文校验值相同,响应所述数据访问请求具体为:Correspondingly, if the second clear text check value is the same as the first clear text check value, responding to the data access request is specifically:
    若所述第二明文校验值与所述第一明文校验值相同,获取服务方本身的第一时间戳,若所述第二时间戳与所述第一时间戳的差值小于或等于预设时间差值,响应所述数据访问请求。If the second clear text check value is the same as the first clear text check value, obtain the first time stamp of the server itself, and if the difference between the second time stamp and the first time stamp is less than or equal to The preset time difference value responds to the data access request.
  20. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1至10任一项所述方法的步骤。A computer-readable storage medium storing a computer program, characterized in that, when the computer program is executed by a processor, the steps of the method according to any one of claims 1 to 10 are implemented.
PCT/CN2018/116434 2018-11-20 2018-11-20 Data access method, data access apparatus, and mobile terminal WO2020102974A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2018/116434 WO2020102974A1 (en) 2018-11-20 2018-11-20 Data access method, data access apparatus, and mobile terminal
CN201880098468.5A CN112823503B (en) 2018-11-20 2018-11-20 Data access method, data access device and mobile terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/116434 WO2020102974A1 (en) 2018-11-20 2018-11-20 Data access method, data access apparatus, and mobile terminal

Publications (1)

Publication Number Publication Date
WO2020102974A1 true WO2020102974A1 (en) 2020-05-28

Family

ID=70773102

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/116434 WO2020102974A1 (en) 2018-11-20 2018-11-20 Data access method, data access apparatus, and mobile terminal

Country Status (2)

Country Link
CN (1) CN112823503B (en)
WO (1) WO2020102974A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609504A (en) * 2021-08-11 2021-11-05 珠海格力电器股份有限公司 Data processing method, device and system, electronic equipment and storage medium
CN115292697A (en) * 2022-10-10 2022-11-04 北京安帝科技有限公司 Memory protection method and device based on intrusion behavior analysis
CN115459929A (en) * 2022-09-06 2022-12-09 中国建设银行股份有限公司 Security verification method, apparatus, electronic device, system, medium, and product
CN115842679A (en) * 2022-12-30 2023-03-24 江西曼荼罗软件有限公司 Data transmission method and system based on digital envelope technology
CN117579403A (en) * 2024-01-17 2024-02-20 永鼎行远(南京)信息科技有限公司 Device for accessing trusted application

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115061826B (en) * 2022-02-28 2024-02-13 华为技术有限公司 Component communication method and computing device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104113552A (en) * 2014-07-28 2014-10-22 百度在线网络技术(北京)有限公司 Platform authorization method, platform server side, application client side and system
CN105429978A (en) * 2015-11-13 2016-03-23 中国建设银行股份有限公司 Data access methods and system, and equipment
US20160359629A1 (en) * 2015-02-05 2016-12-08 Apple Inc. Relay service for communication between controllers and accessories
CN107979590A (en) * 2017-11-02 2018-05-01 财付通支付科技有限公司 Data sharing method, client, server, computing device and storage medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187389B (en) * 2015-08-07 2019-01-04 北京思特奇信息技术股份有限公司 A kind of Web access method and system for obscuring encryption based on number
CN106230838A (en) * 2016-08-04 2016-12-14 中国银联股份有限公司 A kind of third-party application accesses the method and apparatus of resource
CN108259437B (en) * 2016-12-29 2021-06-04 北京神州泰岳软件股份有限公司 HTTP access method, HTTP server and system
CN108243188B (en) * 2017-12-29 2021-05-07 苏州朗润创新知识产权运营有限公司 Interface access, interface call and interface verification processing method and device
CN108494740B (en) * 2018-03-01 2021-08-24 捷开通讯(深圳)有限公司 Token generation and verification method, intelligent terminal and server
CN108471432B (en) * 2018-07-11 2020-09-11 北京智芯微电子科技有限公司 Method for preventing network application program interface from being attacked maliciously

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104113552A (en) * 2014-07-28 2014-10-22 百度在线网络技术(北京)有限公司 Platform authorization method, platform server side, application client side and system
US20160359629A1 (en) * 2015-02-05 2016-12-08 Apple Inc. Relay service for communication between controllers and accessories
CN105429978A (en) * 2015-11-13 2016-03-23 中国建设银行股份有限公司 Data access methods and system, and equipment
CN107979590A (en) * 2017-11-02 2018-05-01 财付通支付科技有限公司 Data sharing method, client, server, computing device and storage medium

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609504A (en) * 2021-08-11 2021-11-05 珠海格力电器股份有限公司 Data processing method, device and system, electronic equipment and storage medium
CN113609504B (en) * 2021-08-11 2024-05-07 珠海格力电器股份有限公司 Data processing method, device and system, electronic equipment and storage medium
CN115459929A (en) * 2022-09-06 2022-12-09 中国建设银行股份有限公司 Security verification method, apparatus, electronic device, system, medium, and product
CN115459929B (en) * 2022-09-06 2024-05-10 中国建设银行股份有限公司 Security verification method, security verification device, electronic equipment, security verification system, security verification medium and security verification product
CN115292697A (en) * 2022-10-10 2022-11-04 北京安帝科技有限公司 Memory protection method and device based on intrusion behavior analysis
CN115842679A (en) * 2022-12-30 2023-03-24 江西曼荼罗软件有限公司 Data transmission method and system based on digital envelope technology
CN117579403A (en) * 2024-01-17 2024-02-20 永鼎行远(南京)信息科技有限公司 Device for accessing trusted application
CN117579403B (en) * 2024-01-17 2024-03-29 永鼎行远(南京)信息科技有限公司 Device for accessing trusted application

Also Published As

Publication number Publication date
CN112823503B (en) 2022-08-16
CN112823503A (en) 2021-05-18

Similar Documents

Publication Publication Date Title
WO2020102974A1 (en) Data access method, data access apparatus, and mobile terminal
US20210367795A1 (en) Identity-Linked Authentication Through A User Certificate System
CN108965230B (en) Secure communication method, system and terminal equipment
US9838205B2 (en) Network authentication method for secure electronic transactions
CN108737106B (en) User authentication method and device on block chain system, terminal equipment and storage medium
US20190173873A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
JP2005102163A (en) Equipment authentication system, server, method and program, terminal and storage medium
US20100228982A1 (en) Fast-reconnection of negotiable authentication network clients
CN110958209B (en) Bidirectional authentication method, system and terminal based on shared secret key
CN103546289A (en) USB (universal serial bus) Key based secure data transmission method and system
US10439809B2 (en) Method and apparatus for managing application identifier
CN112055019B (en) Method for establishing communication channel and user terminal
CN112766962A (en) Method for receiving and sending certificate, transaction system, storage medium and electronic device
EP4022840A1 (en) Decentralized techniques for verification of data in transport layer security and other contexts
WO2021036511A1 (en) Method for data encryption, storage and reading, terminal device, and storage medium
WO2019037412A1 (en) Data transmission method, terminal, storage medium, and processor
CN111756528A (en) Quantum session key distribution method and device and communication architecture
CN109302425B (en) Identity authentication method and terminal equipment
WO2015109958A1 (en) Data processing method based on negotiation key, and mobile phone
CN107395350B (en) Method and system for generating key and key handle and intelligent key safety equipment
CN113038463A (en) Communication encryption authentication experimental device
WO2023284691A1 (en) Account opening method, system, and apparatus
CN114692120B (en) National password authentication method, virtual machine, terminal equipment, system and storage medium
TWI669672B (en) Electronic trading method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18940993

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18940993

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 29/09/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18940993

Country of ref document: EP

Kind code of ref document: A1