WO2020211252A1 - 开放平台的安全管理方法、装置、计算机设备及存储介质 - Google Patents

开放平台的安全管理方法、装置、计算机设备及存储介质 Download PDF

Info

Publication number
WO2020211252A1
WO2020211252A1 PCT/CN2019/103517 CN2019103517W WO2020211252A1 WO 2020211252 A1 WO2020211252 A1 WO 2020211252A1 CN 2019103517 W CN2019103517 W CN 2019103517W WO 2020211252 A1 WO2020211252 A1 WO 2020211252A1
Authority
WO
WIPO (PCT)
Prior art keywords
channel party
open platform
security management
cooperative channel
score
Prior art date
Application number
PCT/CN2019/103517
Other languages
English (en)
French (fr)
Inventor
刘皋相
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020211252A1 publication Critical patent/WO2020211252A1/zh

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • This application belongs to the field of identity verification, and more specifically, relates to an open platform security management method, device, computer equipment, and storage medium.
  • An open platform refers to a software system that enables external programs to increase the functions of the software system or use the resources of the software system by opening its application programming interface (API) or functions without changing the source code of the software system.
  • API application programming interface
  • encapsulating website services into a series of computer-readable data interfaces are open for use by third-party developers. This behavior is called open API, and the platform that provides open API is called open platform.
  • the embodiments of the present application provide a security management method, device, computer equipment, and storage medium of an open platform, so as to solve the problem of potential security risks in the current security platform.
  • a security management method for an open platform includes:
  • an authorization token and authorization information corresponding to the security management score are generated according to the identifier, and the authorization information package Including token time limit information and authority description information;
  • the cooperation channel party accesses the open platform through the authorization token, the token time limit information and the authority description information are verified, and if the verification passes, the cooperation channel party is connected Enter the opening and opening.
  • a security management device for an open platform including:
  • an access request obtaining module configured to obtain an access request from a cooperative channel party, where the access request includes an identifier of the cooperative channel party;
  • the qualification score obtaining module is configured to obtain the audit qualification and security management score of the cooperative channel party according to the access request;
  • the authorization token generation module is configured to generate an authorization token and an authorization corresponding to the security management score according to the identifier if the audit qualification is in an audit passed state and the security management score reaches a preset score Information, the authorization information includes token time limit information and authority description information;
  • the authorization token sending module is used to send the authorization token to the client
  • the authorization information verification module is used to verify the token time limit information and the authority description information when the cooperative channel party accesses the open platform through the authorization token, and when the verification passes , Connect the cooperative channel party to the open platform.
  • a computer device including a memory, a processor, and computer-readable instructions stored in the memory and capable of running on the processor, and the processor implements the aforementioned opening when the processor executes the computer-readable instructions The security management method of the platform.
  • One or more non-volatile readable storage media storing computer readable instructions, when the computer readable instructions are executed by one or more processors, the one or more processors execute the above Security management method of open platform.
  • FIG. 1 is a schematic diagram of an application environment of an open platform security management method in an embodiment of the present application
  • FIG. 2 is a flowchart of a security management method of an open platform in an embodiment of the present application
  • FIG. 3 is another flowchart of the security management method of the open platform in an embodiment of the present application.
  • FIG. 4 is another flowchart of the security management method of the open platform in an embodiment of the present application.
  • FIG. 5 is another flowchart of the security management method of the open platform in an embodiment of the present application.
  • FIG. 6 is another flowchart of the security management method of the open platform in an embodiment of the present application.
  • FIG. 7 is a functional block diagram of the security management device of the open platform in an embodiment of the present application.
  • FIG. 8 is another functional block diagram of the security management device of the open platform in an embodiment of the present application.
  • FIG. 9 is a schematic block diagram of the authorization information verification module in the security management device of the open platform in an embodiment of the present application.
  • FIG. 10 is a schematic diagram of a computer device in an embodiment of the present application.
  • the security management method of the open platform provided by the present application can be applied to the application environment as shown in FIG. 1, where the client communicates with the server through the network, and the server obtains the access request of the cooperative channel party through the client , Where the access request includes the identifier of the partner channel; then, the server obtains the audit qualification and security management score of the partner channel according to the access request of the partner channel. If the audit qualification is in the approved state and the security management score reaches the expected If the score is set, the authorization token and the authorization information corresponding to the security management score are generated according to the identity of the cooperative channel party.
  • the authorization information includes token time limit information and permission description information; the server sends the generated authorization token to the client, if The cooperative channel party accesses the open platform through the authorization token on the client side, and then verifies the token time limit information and the authority description information, and if the verification passes, the cooperative channel party is connected to the open platform.
  • the client can be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices.
  • Server can use It can be realized by independent server or server cluster composed of multiple servers.
  • an open platform security management method is provided. Taking the method applied to the server in FIG. 1 as an example for description, the method includes the following steps:
  • S10 Acquire an access request from a cooperative channel party, where the access request includes an identifier of the cooperative channel party.
  • the cooperative channel party refers to the channel party that has a cooperative relationship with the open platform. For example, if the channel party "Jinyue Toutiao" has a cooperative relationship with the open platform, then the channel party "Today Toutiao" is the cooperation of the open platform. Channel party.
  • An access request refers to a request from a cooperative channel party to access an open platform.
  • the cooperative channel party can directly send the access request through the identification of the cooperative channel party.
  • the cooperative channel party inputs the identification of the cooperative channel party in the client of the open platform, and then sends the access request to the server by clicking the access button.
  • the monthly server can obtain the access request of the partner channel party.
  • the identifier of the cooperative channel party refers to the identifier of the cooperative channel party on the open platform, for example, the account of the open platform.
  • the open platform can also set the partner channel to send an access request through an identifier (the account of the open platform) and a password, where the password refers to the account password, which is different from subsequent authorization tokens.
  • S20 Obtain the audit qualification and safety management score of the cooperative channel party according to the access request.
  • the audit qualification of the partner channel party can be determined after the audit by the relevant audit department of the open platform.
  • the partner channel party submits a qualification review request through the open platform, and then the channel auditor, department leader, and compliance department of the open platform respectively complete the review qualification approval to determine whether the partner channel party can pass.
  • the audit qualification of the partner channel party includes the status of passed and failed.
  • the qualification review of the partner channel party can be completed through the ITSM (iTServiceManagement, IT service management) system developed by IBM.
  • the security management score is the score when the server performs related security management on the cooperative channel parties of the open platform.
  • related security management may be the management of the security of the open platform, such as the user traffic of the cooperative channel party, whether users of the cooperative channel party attack or steal the open platform, and whether the cooperative channel party fulfills the open platform regulations.
  • the server can pre-set a safety management scoring table, and then score according to the actual situation of the partner channel party, and use the scoring result as the safety management score.
  • the initial safety management score of the cooperative channel party can be set to a perfect score, such as 100 points, and then a deduction system is adopted. If the behavior of the cooperative channel party violates the relevant safety management regulations, it will be matched.
  • the channel party deducts the corresponding scores according to the preset safety management score sheet, and uses the remaining scores of the cooperative channel party as its safety management score.
  • the security management score sheet may stipulate that if a user of a cooperative channel party has an attack on an open platform, 10 points will be deducted from the cooperative channel party.
  • the server can set the security management score sheet, if the partner channel party violates the relevant security management regulations of the open platform, a larger proportion of points will be deducted; if the user of the partner channel party violates the security management related to the open platform When it is specified, the smaller proportion of points will be deducted.
  • the server when the server obtains the access request of the cooperative channel party, it obtains the corresponding audit qualification and safety management score of the cooperative channel party from the database of the cooperative channel party according to the identifier of the cooperative channel party.
  • S30 If the audit qualification is a passed state and the security management score reaches the preset score, an authorization token and authorization information corresponding to the security management score are generated according to the identifier, and the authorization information includes token time limit information and authority description information.
  • the preset score is preset by the server, such as 60 points, 80 points, or 90 points, and there is no limitation here.
  • the authorization information corresponding to the safety management score refers to the further subdivision of the safety management score that has reached the preset score, and the corresponding authorization information is configured according to the subdivided safety management score. For example, if the preset score is 60 points, then 60 points to 100 points can be subdivided into three levels: 60-70 points, 70-90 points, and 90-100 points, and then different levels can be configured according to these three levels.
  • the authorization information includes token time limit information and authority description information.
  • the token time limit information is the effective time information of the command card.
  • the token time limit information can be different, which can be set according to actual needs.
  • the token time limit corresponding to 60-70 points is 1 day, while 70-90 points are divided into 5 days, and 90-100 points are divided into 7 days, etc.
  • the authority description information refers to the authority that the partner channel party has.
  • the security management score is different, the authority description information is also different.
  • the server can set the authority of the partner channel party's access time, authority, and location accordingly. It can be set according to actual needs, and there is no restriction here.
  • the server judges the obtained audit qualifications and safety management scores of the cooperation channel party, and if the audit qualification of the cooperation channel party is in the state of passing the audit, and the safety management score reaches the preset score, it will The identification of the generated authorization token and the authorization information corresponding to the security management score are stored in the database of the server, so that the authorization token of the cooperative channel party can be subsequently verified.
  • the monthly server stores the authorization token in the database, it records the time when the authorization token is generated, so as to subsequently authorize The token time limit information of the token is checked.
  • S40 Send the authorization token to the client.
  • the server sends the authorization token to the client of the cooperative channel party, so that the cooperative channel party can access the open platform through the authorization token.
  • the server sends the authorization token to the client it can be sent in a preset manner. For example, it can be set to be sent to the client’s APP or sent to the mobile phone number reserved by the partner channel. Or email, etc. The specific method is not restricted here.
  • S50 If the cooperative channel party accesses the open platform through the authorization token, the token time limit information and the authority description information are verified, and if the verification is passed, the cooperative channel party is allowed to access the open platform.
  • the server obtains the corresponding token time limit information and authority description information from the database according to the identification of the cooperative channel party, and obtains the current access of the cooperative channel party Then, the server compares the current access status of the partner channel with the token time limit information and permission description information. If the current access status of the partner channel party matches the token time limit information and permission description information, then the partner channel will be connected Enter the open platform.
  • the server can determine that the current access time of the partner channel matches the permission description information ; For another example, if the current authorization token of the partner channel party has been effective for 6 days, but the corresponding token time limit information is only 5 days, the server can determine that the current authorization token and token time limit information of the partner channel party is not Match.
  • the access request includes the identification of the cooperative channel party; and then obtaining the audit qualification and security management score of the cooperative channel party according to the access request, if If the audit qualification is the approved status and the security management score reaches the preset score, then the authorization token and authorization information corresponding to the security management score are generated according to the identification of the partner channel party.
  • the authorization information includes token time limit information and authority description information; The token is sent to the client, and if the partner channel party accesses the open platform through the authorization token, the token time limit information and permission description information are verified, and if the verification passes, the partner channel party is connected to the open platform.
  • the token time limit is further trusted.
  • the verification of information and authority description information can improve the access threshold of the open platform, strengthen the management of the activities of the cooperative channel parties after accessing the open platform, thereby effectively reducing the open platform being attacked and improving the stability of the open platform .
  • the security of the open platform provided in this embodiment is The management method also includes the following steps:
  • S61 Obtain user traffic of the cooperative channel party within a preset time period based on the identifier.
  • user traffic refers to the number of users when the cooperative channel party interacts with the open platform.
  • the preset time period can be set according to actual needs, and is not specifically limited here, for example, it is 1 day, 30 days, or half a year. It is understandable that by collecting statistics on the user traffic of the cooperative channel party in the preset time period, the importance of the cooperative channel party on the open platform can be evaluated, and it can also be judged whether the cooperative channel party’s traffic is within the normal range, for example, whether There are user attacks and other situations.
  • the server counts the user traffic of the cooperative channel party within a preset time period according to the identifier of the cooperative channel party.
  • the server can use a monitoring tool to monitor the user traffic of the cooperative channel party.
  • the monitoring tool can be, for example, a zabbix monitoring tool.
  • the zabbix monitoring tool can monitor various network parameters to ensure the safe operation of the open platform, and provide The flexible notification mechanism allows administrators of the open platform to quickly locate and solve various problems.
  • S62 If the user traffic is less than the first preset flow threshold or greater than the second preset flow threshold, the security management score is deducted from the corresponding score based on the preset score table.
  • the first preset flow threshold is a threshold set by the server to measure whether the cooperative channel party has a basis for continuing cooperation with the open platform, which is equivalent to the entry threshold of the cooperative channel party.
  • the second preset flow threshold is used to determine whether the flow of the cooperative channel party is within the normal range and whether there is an abnormal situation such as an attack.
  • the first preset flow threshold and the second preset flow threshold may be specifically set according to actual needs, and there is no specific limitation here.
  • the first preset flow threshold is smaller than the second preset flow threshold.
  • the preset scoring table can be set according to actual needs, and there is no limitation here.
  • the preset scoring table may be set to deduct 40 points if the user flow is less than the first preset flow threshold; if the user flow is greater than the second preset flow threshold, 20 points are set to be deducted, and so on.
  • the preset time periods corresponding to the first preset flow threshold and the second preset flow threshold may be different, for example, the first preset flow threshold It is to count user traffic within half a year, and the second preset traffic threshold may be to count the user traffic within one day.
  • the preset scoring table may also be set to deduct corresponding points for other violations of the open platform security management by the cooperative channel party, for example, whether the cooperative channel party fulfills the requirements of the open platform.
  • the server monitors and counts the user traffic of the cooperative channel party, and then compares the user traffic of the cooperative channel party with the first preset traffic threshold and the second preset traffic threshold. If the user traffic is less than The first preset flow threshold indicates that the user flow of the cooperative channel party is too small, and the corresponding score of the security management score of the cooperative channel party is deducted according to the preset score table.
  • the server may send a prompt message to the management end of the open platform based on the identification of the cooperative channel party, so that the relevant management personnel of the open platform will subsequently approve the qualification of the cooperative channel party As the corresponding data reference.
  • the server can send a prompt message to the management end of the open platform based on the identifier of the partner channel party, so that the management end of the open platform can handle the abnormal situation of the partner channel party in a timely manner. For example, the rights of users who attack the open platform in the cooperative channel party are modified to have no access to the open platform, and security isolation is implemented to ensure the stability of the open platform.
  • the user traffic of the cooperative channel party within a preset time period is acquired based on the identifier, and if the user traffic is less than the first preset flow threshold or greater than the second preset flow threshold, it is based on The preset score sheet deducts the corresponding points from the safety management score.
  • the permission description information includes an access time interval and an access location range, where the access time interval refers to the time during which the partner channel party can access the open platform, and the access location range refers to The cooperative channel party can access the IP address range corresponding to the open platform.
  • step S50 that is, if the cooperative channel party accesses the open platform through the authorization token, the token time limit information and the authority description information are verified, and if the verification passes , Then the cooperation channel parties will be connected to the open platform, which can include the following steps
  • the access time of the authorization token refers to the time during which the cooperative channel party can access the open platform after the authorization token is generated.
  • the access time of the authorization token can be obtained by subtracting the generation time of the authorization token on the server from the current time of the open platform. For example, if the generation time of the authorization token is January 1, and the current open platform time is January 3, then the access time of the authorization token is 3 days.
  • the server when the server obtains the request from the cooperative channel party to access the open platform through the authorization token at the client, the server obtains the current time of the open platform and the generation time of the authorization token, and opens the platform The current time subtracts the generation time of the authorization token to obtain the access time of the authorization token.
  • S52 If the access time of the authorization token is less than or equal to the preset time threshold, obtain the current access time of the cooperative channel party.
  • the preset time threshold refers to a time threshold preset by the server for restricting cooperation channel parties from accessing the open platform.
  • the preset time threshold may be 5 days, 7 days, 10 days, etc. The details can be set according to actual needs, and there is no specific limitation here.
  • the server may additionally set a preset time threshold for users of the cooperative channel party, and set the preset time threshold for users of the cooperative channel party to a shorter time, such as 10 minutes, 20 minutes, or 30 minutes, etc. .
  • the audit qualification or security management score of the cooperative channel party may change within the preset time threshold, by setting the preset time threshold to limit the access time of the cooperative channel party, it can ensure that the cooperative channel party is always The approved cooperative channel party is the safe cooperative channel party. For example, if there is a change in the audit qualification of the partner channel during this period, that is, the status of the original partner channel’s audit qualification changes from approved to failed, or the safety management score changes from reaching the preset score to less than If the score is preset, the cooperative channel party becomes an illegal channel party, and the server can prevent the cooperative channel party from accessing the open platform through the originally generated authorization token by setting the preset time threshold, thereby realizing the security management of the open platform.
  • the server compares the access time of the authorization token with a preset time threshold, and if the access time of the authorization token is less than or equal to the preset time threshold, it is determined that the token time limit verification is successful, and the service
  • the server obtains the current access time of the cooperative channel party; if the access time of the authorization token is greater than the preset time threshold, it is determined that the timeliness check fails, and the server re-obtains the audit qualification and security management score of the cooperative channel party.
  • the obtained audit qualification and security management score determine whether to regenerate a new authorization token.
  • S53 If the current visit time meets the visit time interval, acquire the current visit location of the partner channel [0073] Specifically, the server compares the current visit time of the partner channel party with the visit time interval, and if the current visit time of the partner channel party is within the visit time interval, it is determined that the verification of the visit time is successful, and then according to the cooperation
  • the channel party s IP obtains the current access location of the cooperative channel party; if the current access time of the cooperative channel party is outside the access time interval, the server determines that the access time verification has failed, refuses the cooperative channel party to access the open platform, and tells the customer The terminal sends corresponding prompt information.
  • the server compares the current access location of the partner channel party with the range of the access location, and if the current access location of the partner channel party is within the access location range, it is determined that the access location verification is successful, and the partner channel party is accepted Enter the open platform; if the current access location of the partner channel party exceeds the access location range, it is determined that the access location verification fails, the partner channel party is denied access to the open platform, and a prompt message is sent to the client. For example, if the visiting location range is Guangdong province, and the current visiting location of the partner channel party is in Hunan province, the server can determine that the current visiting location of the partner channel party is beyond the visiting location range.
  • the access time of the authorization token is obtained; if the access time of the authorization token is less than or equal to the preset time Threshold, the current visit time of the partner channel is obtained; if the current visit time matches the visit time interval, the current visit location of the partner channel is obtained; if the current visit location is within the range of the visit location, the partner channel party’s access is open platform.
  • step S50 that is, if the partner channel party accesses the open platform through the authorization token
  • the token time limit information and the authority description information are verified, if the verification is
  • the security management method of the open platform further includes the following steps:
  • S71 Obtain an interaction message between the cooperation channel party and the open platform.
  • the interaction between the cooperative channel party and the open platform is realized through interactive messages. Since the server is connected to the client of the partner channel party and the open platform, the message between the client and the open platform needs to be processed It is sent through the server. Therefore, after the cooperative channel party accesses the open platform, the server can obtain the interactive message between the cooperative channel party and the open platform.
  • S72 Encrypt the interactive message, and send the encrypted interactive message.
  • an encryption algorithm can be selected as required, such as DES (Data Encryption Standard), AES (Advanced Encryption Standard), Base64 encryption algorithm, etc.
  • the server uses AES to encrypt the interactive message.
  • the server encrypts the acquired interactive message, and then sends the encrypted interactive message to the client of the cooperative channel party or the open platform.
  • the encrypted interaction message is sent.
  • Encrypting interactive messages can make related messages of the open platform more secure, reduce attacks on the open platform by pretending to be cooperative channel parties or users of cooperative channel parties, and improve the security of the open platform.
  • step S72 that is, after the steps of encrypting the interactive message and sending the encrypted interactive message
  • the security management of the open platform provided in this embodiment
  • the method also includes the following steps:
  • S81 Obtain the key identifier for encrypting the interactive message, encrypt the key identifier by the RSA algorithm, and obtain the public key and the private key corresponding to the RSA algorithm.
  • this embodiment uses the RSA algorithm to encrypt the generated key identification, and obtains the public key and the private key corresponding to the RSA algorithm.
  • the RSA algorithm is an asymmetric encryption algorithm.
  • a pair of RSA keys is first generated, one of which is a secret key, that is, a private key, which is saved by the user; the other is a public key, that is, a public key, which can be Open to the outside world.
  • the RSA private key is at least 500 bits long.
  • the RSA private key in this embodiment uses 1024 bits.
  • S82 Send the public key to the client, and obtain the preset receiving mode of the cooperative channel party according to the identifier.
  • the server can directly send the public key to the client of the partner channel . Then, the server obtains the preset receiving mode of the cooperative channel party according to the identifier of the cooperative channel party.
  • the preset receiving method can be set according to actual needs, for example, a designated email address or a designated mobile phone number of the partner channel party is used as the preset receiving method. It should be noted that the preset receiving method can be different from the mailbox or mobile phone number reserved by the partner channel on the open platform, but it should be set to send offline, that is, it is different from the online sending of the public key to the client. Sending offline can further ensure the security of the key identification and private key.
  • S83 Send the private key based on the preset receiving mode, so that the cooperative channel party can view the interactive message through the public key and the private key.
  • the server sends the private key to the cooperative channel party through the acquired preset receiving mode of the cooperative channel party, so that the cooperative channel party obtains the key identifier through the public key and the private key of the RSA algorithm, and then obtains View the interactive message with the open platform.
  • the public key and the private key corresponding to the RSA algorithm are obtained; and then the public key is sent To the client, and obtain the preset receiving method of the cooperative channel party according to the identifier; finally, send the private key based on the preset receiving method, so that the cooperative channel party can view the interactive message through the public key and the private key.
  • the RSA algorithm is used to further encrypt the key identification of the interactive message encryption, which can further ensure the security of the interaction between the cooperative channel party and the open platform and improve the stability of the open platform.
  • an open platform security management device is provided, and the security management device of the open platform corresponds to the security management method of the open platform in the foregoing embodiment one-to-one.
  • the security management device of the open platform includes an access request acquisition module 10, a qualification score acquisition module 20, an authorization token generation module 30, an authorization token sending module 40, and an authorization information verification module 50.
  • the detailed description of each functional module is as follows:
  • the access request obtaining module 10 is configured to obtain an access request from a cooperative channel party, where the access request includes an identifier of the cooperative channel party;
  • the qualification score obtaining module 20 is configured to obtain the audit qualification and security management score of the cooperative channel party according to the access request;
  • the authorization token generation module 30 is configured to generate an authorization token according to the identifier when the review qualification is in an approved state and the security management score reaches a preset score;
  • the authorization token sending module 40 is configured to send the authorization token to the client, so that the cooperative channel party can access the open platform through the authorization token;
  • the authorization information verification module 50 is used to verify the token time limit information and authority description information when the partner channel party accesses the open platform through the authorization token, and when the verification is passed, the partner channel party will access Open up.
  • the security management apparatus of the open platform provided in this embodiment further includes a security management scoring module 50, wherein the security management scoring module 50 includes a user traffic acquisition unit 51 and a security score deduction unit 52.
  • the user traffic acquiring unit 51 is configured to acquire the user traffic of the cooperative channel party in a preset time period based on the identifier
  • the safety score deducting unit 52 is configured to deduct the safety management score from the corresponding score based on the preset score table when the user traffic is less than the first preset flow threshold or greater than the second preset flow threshold.
  • the authority description information includes an access time interval and an access location range
  • the authorization information verification module 50 includes an access time acquisition unit 51, an access time verification unit 52, and an access time verification Unit 53 and access location verification unit 54.
  • the access time obtaining unit 51 is configured to obtain the access time of the authorization token when the cooperative channel party requests to access the open platform through the authorization token;
  • the access time verification unit 52 is configured to obtain the current access time of the cooperative channel party when the access time of the authorization token is less than or equal to the preset time threshold;
  • the visit time verification unit 53 is configured to obtain the current visit location of the cooperative channel party when the current visit time matches the visit time interval;
  • the visit location verification unit 54 is configured to connect the cooperative channel party to the open platform when the current visit location is within the visit location range.
  • the security management apparatus of the open platform provided in this embodiment further includes an interactive message encryption module , Where the interactive message encryption module is used for:
  • the security management device of the open platform provided in this embodiment further includes a key identification encryption module, where the key identification encryption module is used for:
  • the private key is sent based on the preset receiving mode, so that the cooperative channel party can view the interactive message through the public key and the private key.
  • each module in the security management device of the above open platform can be implemented in whole or in part by software, hardware, and combinations thereof.
  • the foregoing modules may be embedded in the form of hardware or independent of the processor in the computer device, or may be stored in the memory of the computer device in the form of software, so that the processor can invoke and execute the operations corresponding to the foregoing modules.
  • a computer device is provided.
  • the computer device may be a server, and its internal structure diagram may be as shown in FIG. 10.
  • the computer equipment includes a processor, a memory, a network interface, and a database connected through a system bus. Among them, the processor of the computer device is used to provide calculation and control capabilities.
  • the memory of the computer device includes a non-volatile storage medium and an internal memory.
  • the non-volatile storage medium stores an operating system, computer readable instructions, and a database.
  • the internal memory provides an environment for the operation of the operating system and computer-readable instructions in the non-volatile storage medium.
  • the computer equipment database is used to store identification, audit qualifications, security management scores, authorization tokens, and so on.
  • the network interface of the computer device is used to communicate with an external terminal through a network connection.
  • the computer-readable instructions are executed by the processor to realize an open platform security management method.
  • a computer device including a memory, a processor, and computer readable instructions stored in the memory and running on the processor, and the processor executes the following steps when the computer readable instructions are executed :
  • an authorization token and authorization information corresponding to the security management score are generated according to the identifier, and the authorization information includes token time limit information and authority description information;
  • the cooperative channel party accesses the open platform through the authorization token, the token time limit information and the authority description information are verified, and if the verification is passed, the cooperative channel party is accessed and opened.
  • one or more non-volatile readable storage media storing computer readable instructions are provided.
  • the computer readable instructions are executed by one or more processors, the One or more processors perform the following steps:
  • an authorization token and authorization information corresponding to the security management score are generated according to the identifier, and the authorization information includes token time limit information and authority description information;
  • the cooperative channel party accesses the open platform through the authorization token, the token time limit information and the authority description information are verified, and if the verification is passed, the cooperative channel party is opened for access.
  • Non-volatile memory may include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory may include random access memory (RAM) or external cache memory.
  • RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), and enhanced Type SDRAM (ESDRAM), synchronous link (Synchlink) DRAM (SLDRAM), memory bus (Rambus), direct RAM (RDRAM), direct memory bus dynamic RAM (DRDR AM), and memory bus dynamic RAM (RDRAM), etc.
  • SRAM static RAM
  • DRAM dynamic RAM
  • SDRAM synchronous DRAM
  • DDRSDRAM double data rate SDRAM
  • ESDRAM enhanced Type SDRAM
  • SLDRAM synchronous link (Synchlink) DRAM
  • SLDRAM synchronous link (Synchlink) DRAM
  • Rambus direct RAM
  • DRDR AM direct memory bus dynamic RAM
  • RDRAM memory bus dynamic RAM

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

一种开放平台的安全管理方法、装置、计算机设备及存储介质,该方法包括:获取合作渠道方的接入请求,接入请求包括合作渠道方的标识(S10);根据接入请求获取合作渠道方的审核资质和安全管理评分(S20);若审核资质为审核通过状态且安全管理评分达到预设评分,则根据标识生成授权令牌和与安全管理评分相应的授权信息,授权信息包括令牌时限信息和权限描述信息(S30);将授权令牌发送至客户端(S40);若合作渠道方通过授权令牌访问开放平台,则对令牌时限信息和权限描述信息进行校验,若校验通过,则将合作渠道方接入开放开台(S50)。通过校验合作渠道方的令牌时限信息和权限描述信息,可以加强对开放平台的管理,提高开放平台的稳定性。

Description

幵放平台的安全管理方法、 装置、 计算机设备及存储介质
[0001] 本申请以 2019年 04月 16日提交的申请号为 201910305905.2, 名称为“开放平台的 安全管理方法、 装置、 计算机设备及存储介质”的中国发明专利申请为基础, 并 要求其优先权。
技术领域
[0002] 本申请属于身份验证领域, 更具体地说, 是涉及一种开放平台的安全管理方法 、 装置、 计算机设备及存储介质。
[0003]
[0004] 背景技术
[0005] 开放平台,是指软件系统通过公开其应用程序编程接口 (API) 或函数来使外部 的程序可以增加软件系统的功能或使用软件系统的资源, 而不需要更改软件系 统的源代码。 在现在的互联网时代, 把网站的服务封装成一系列计算机易识别 的数据接口开放出去, 供第三方开发者使用, 这种行为就叫做开放 API, 提供开 放 API的平台本身被称为开放平台。
[0006] 然而目前开放平台的建设中, 由于缺乏对合作方及合作方用户的有效管理, 存 在不良合作方或者合作方用户攻击开放平台的情况, 使开放平台存在安全隐患
[0007] 发明内容
[0008] 本申请实施例提供一种开放平台的安全管理方法、 装置、 计算机设备及存储介 质, 以解决目前安全平台存在安全隐患的问题。
[0009] 一种开放平台的安全管理方法, 包括:
[0010] 获取合作渠道方的接入请求, 所述接入请求包括所述合作渠道方的标识;
[0011] 根据所述接入请求获取所述合作渠道方的审核资质和安全管理评分;
[0012] 若所述审核资质为审核通过状态且所述安全管理评分达到预设评分, 则根据所 述标识生成授权令牌和与所述安全管理评分相应的授权信息, 所述授权信息包 括令牌时限信息和权限描述信息;
[0013] 将所述授权令牌发送至客户端;
[0014] 若所述合作渠道方通过所述授权令牌访问开放平台, 则对所述令牌时限信息和 所述权限描述信息进行校验, 若校验通过, 则将所述合作渠道方接入所述开放 开台。
[0015] 一种开放平台的安全管理装置, 包括:
[0016] 接入请求获取模块, 用于获取合作渠道方的接入请求, 所述接入请求包括所述 合作渠道方的标识;
[0017] 资质评分获取模块, 用于根据所述接入请求获取所述合作渠道方的审核资质和 安全管理评分;
[0018] 授权令牌生成模块, 用于若所述审核资质为审核通过状态且所述安全管理评分 达到预设评分, 则根据所述标识生成授权令牌和与所述安全管理评分相应的授 权信息, 所述授权信息包括令牌时限信息和权限描述信息;
[0019] 授权令牌发送模块, 用于将所述授权令牌发送至客户端;
[0020] 授权信息校验模块, 用于当所述合作渠道方通过所述授权令牌访问开放平台时 , 对所述令牌时限信息和所述权限描述信息进行校验, 当校验通过时, 将所述 合作渠道方接入所述开放开台。
[0021] 一种计算机设备, 包括存储器、 处理器以及存储在所述存储器中并可在所述处 理器上运行的计算机可读指令, 所述处理器执行所述计算机可读指令时实现上 述开放平台的安全管理方法。
[0022] 一个或多个存储有计算机可读指令的非易失性可读存储介质, 所述计算机可读 指令被一个或多个处理器执行时, 使得所述一个或多个处理器执行上述开放平 台的安全管理方法。
[0023] 本申请的一个或多个实施例的细节在下面的附图和描述中提出, 本申请的其他 特征和优点将从说明书、 附图以及权利要求变得明显。
[0024] 附图说明
[0025] 为了更清楚地说明本申请实施例中的技术方案, 下面将对实施例或现有技术描 述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是 本申请的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动性 的前提下, 还可以根据这些附图获得其他的附图。
[0026] 图 1是本申请一实施例中开放平台的安全管理方法的一应用环境示意图;
[0027] 图 2是本申请一实施例中开放平台的安全管理方法的一流程图;
[0028] 图 3是本申请一实施例中开放平台的安全管理方法的另一流程图;
[0029] 图 4是本申请一实施例中开放平台的安全管理方法的另一流程图;
[0030] 图 5是本申请一实施例中开放平台的安全管理方法的另一流程图;
[0031] 图 6是本申请一实施例中开放平台的安全管理方法的另一流程图;
[0032] 图 7是本申请一实施例中开放平台的安全管理装置的一原理框图;
[0033] 图 8是本申请一实施例中开放平台的安全管理装置的另一原理框图;
[0034] 图 9是本申请一实施例中开放平台的安全管理装置中授权信息校验模块的一原 理框图;
[0035] 图 10是本申请一实施例中计算机设备的一示意图。
[0036] 具体实施方式
[0037] 下面将结合本申请实施例中的附图, 对本申请实施例中的技术方案进行清楚、 完整地描述, 显然, 所描述的实施例是本申请一部分实施例, 而不是全部的实 施例。 基于本申请中的实施例, 本领域普通技术人员在没有作出创造性劳动前 提下所获得的所有其他实施例, 都属于本申请保护的范围。
[0038] 本申请提供的开放平台的安全管理方法, 可应用在如图 1的应用环境中, 其中 , 客户端通过网络与服务端进行通信, 服务端通过客户端获取合作渠道方的接 入请求, 其中, 接入请求包括合作渠道方的标识; 然后, 服务端根据合作渠道 方的接入请求获取合作渠道方的审核资质和安全管理评分, 若审核资质为审核 通过状态且安全管理评分达到预设评分, 则根据合作渠道方的标识生成授权令 牌和与安全管理评分相应的授权信息, 授权信息包括令牌时限信息和权限描述 信息; 服务端将生成的授权令牌发送至客户端, 若合作渠道方在客户端通过授 权令牌访问开放平台, 则对令牌时限信息和权限描述信息进行校验, 若校验通 过, 则将合作渠道方接入开放平台。 其中, 客户端可以但不限于是各种个人计 算机、 笔记本电脑、 智能手机、 平板电脑和便携式可穿戴设备。 服务端可以用 独立的服务器或者是多个服务器组成的服务器集群来实现。
[0039] 在一实施例中, 如图 2所示, 提供一种开放平台的安全管理方法, 以该方法应 用在图 1中的服务端为例进行说明, 包括如下步骤:
[0040] S10: 获取合作渠道方的接入请求, 接入请求包括合作渠道方的标识。
[0041] 其中, 合作渠道方是指与开放平台具有合作关系的渠道方, 例如, 若渠道方“ 今曰头条”与开放平台有合作关系, 则“今日头条”渠道方则为开放平台的合作渠 道方。
[0042] 接入请求是指合作渠道方接入开放平台的请求。 可选地, 合作渠道方可以直接 通过合作渠道方的标识发送接入请求, 例如, 合作渠道方在开放平台的客户端 中输入合作渠道方的标识, 然后通过点击接入按钮向服务端发送接入请求, 月艮 务端即可获取到合作渠道方的接入请求。 其中, 合作渠道方的标识是指合作渠 道方在开放平台的标识, 例如是开放平台的账号。 可选地, 开放平台也可以设 定合作渠道方通过标识 (开放平台的账号) 和密码发送接入请求, 这里的密码 是指账号密码, 与后续的授权令牌不同。
[0043] S20: 根据接入请求获取合作渠道方的审核资质和安全管理评分。
[0044] 其中, 合作渠道方的审核资质可以由开放平台的相关审核部门进行审核后确定 。 例如, 合作渠道方通过开放平台提交资质审核请求, 然后由开放平台的渠道 审核员、 部门领导、 合规部门分别依次完成审核资质的审批来确定合作渠道方 是否可以通过。 其中, 合作渠道方的审核资质包括审核通过状态和审核未通过 状态。 可选地, 合作渠道方的资质审核可以通过 IBM开发的 ITSM (iTServiceMa nagement, IT服务管理) 系统来完成。
[0045] 安全管理评分是由服务端对开放平台的合作渠道方进行相关安全管理时的评分 。 示例性地, 相关安全管理可以是对合作渠道方的用户流量、 合作渠道方的用 户是否存在对开放平台进行攻击或窃取、 合作渠道方是否履行开放平台规定等 关系开放平台安全的情况进行管理。 可选地, 服务端可以预先设定一个安全管 理评分表, 然后根据合作渠道方的实际情况进行打分, 将打分的结果作为安全 管理评分。 可选地, 可以将合作渠道方的初始安全管理评分设为满分, 例如 100 分, 然后采用扣分制, 若合作渠道方的行为违反相关安全管理的规定, 则对合 作渠道方按照预设的安全管理评分表扣除相应的分数, 将合作渠道方剩余的分 数作为其安全管理评分。 例如, 安全管理评分表可以规定若合作渠道方的用户 存在对开放平台进行攻击情况时, 对合作渠道方扣除 10分。 可选地, 服务端可 以在设置该安全管理评分表时, 若合作渠道方本身违反开放平台相关安全管理 规定时, 则扣除较大比重的分数; 若合作渠道方的用户违反开放平台相关安全 管理规定时, 则扣除较小比重的分数。
[0046] 具体地, 当服务端获取到合作渠道方的接入请求时, 根据合作渠道方的标识从 服务端的数据库中获取合作渠道方相应的审核资质和安全管理评分。
[0047] S30: 若审核资质为审核通过状态且安全管理评分达到预设评分, 则根据标识 生成授权令牌和与安全管理评分相应的授权信息, 授权信息包括令牌时限信息 和权限描述信息。
[0048] 其中, 预设评分由服务端预先设定, 例如是 60分、 80分或 90分等, 这里不做限 制。 与安全管理评分相应的授权信息是指对达到预设评分的安全管理评分作进 一步细分, 根据细分后的安全管理评分配置相应授权的信息。 例如, 若预设评 分为 60分, 则可以将 60分到 100分再细分为 60-70分、 70-90分和 90-100分这三个 级别, 再根据这三个级别配置不同的授权信息。 授权信息包括令牌时限信息和 权限描述信息, 令牌时限信息是指令牌有效的时间信息, 可选地, 当安全管理 评分不同时, 令牌时限信息可以不同, 具体可以根据实际需要进行设定, 例如 , 60-70分对应的令牌时限为 1天, 而 70-90分为 5天, 90-100分为 7天等等, 此处 不做限制。 而权限描述信息是指合作渠道方所具备的权限, 当安全管理评分不 同时, 权限描述信息也不同, 例如服务端可以对合作渠道方的访问时间权限和 访问位置等权限进行相应设定, 具体可以根据实际需要进行设定, 此处不做限 制。
[0049] 具体地, 服务端对获取的合作渠道方的审核资质和安全管理评分进行判断, 若 合作渠道方的审核资质为审核通过状态, 且安全管理评分达到预设评分, 则根 据合作渠道方的标识生成授权令牌和与安全管理评分相应的授权信息并存储于 服务端的数据库中, 以便后续对合作渠道方的授权令牌进行校验。 可选地, 月艮 务端将授权令牌存储于数据库时, 记录授权令牌生成的时间, 以便后续对授权 令牌的令牌时限信息进行检验。
[0050] 在一个具体实施方式中, 若合作渠道方的审核资质为审核未通过状态或者安全 管理评分未达到预设评分, 则生成相应的提示信息, 例如“无接入权限”, 最后将 提示信息发送至客户端。
[0051] S40: 将授权令牌发送至客户端。
[0052] 具体地, 服务端将授权令牌发送至合作渠道方的客户端, 使合作渠道方可以通 过授权令牌接入开放平台。 可选地, 服务端在将授权令牌发送至客户端时, 可 以通过预先设定的方式进行发送, 例如, 可以设定通过发送至客户端的 APP, 或 者发送至合作渠道方预留的手机号或邮箱等, 具体方式此处不做限制。
[0053] S50: 若合作渠道方通过授权令牌访问开放平台, 则对令牌时限信息和权限描 述信息进行校验, 若校验通过, 则将合作渠道方接入开放开台。
[0054] 具体地, 当合作渠道方通过授权令牌访问开放平台时, 服务端根据合作渠道方 的标识从数据库中获取相应的令牌时限信息和权限描述信息, 并获取合作渠道 方当前的访问状态, 然后服务端将合作渠道方当前的访问状态与令牌时限信息 和权限描述信息进行比较, 若合作渠道方当前的访问状态与令牌时限信息和权 限描述信息相符, 则将合作渠道方接入开放平台。 例如, 若合作渠道方当前的 访问时间为 8: 00, 而权限描述信息对应允许的访问时间为 7: 00-16: 00, 则服 务端可以判定合作渠道方当前的访问时间与权限描述信息相符; 又例如, 若合 作渠道方当前授权令牌的时间为已生效 6天, 但相应的令牌时限信息只有 5天, 则服务端可以判定合作渠道方当前的授权令牌与令牌时限信息不相符。
[0055] 在图 2对应的实施例中, 通过获取合作渠道方的接入请求, 接入请求包括合作 渠道方的标识; 然后根据接入请求获取合作渠道方的审核资质和安全管理评分 , 若审核资质为审核通过状态且安全管理评分达到预设评分, 则根据合作渠道 方的标识生成授权令牌和与安全管理评分相应的授权信息, 授权信息包括令牌 时限信息和权限描述信息; 将授权令牌发送至客户端, 若合作渠道方通过授权 令牌访问开放平台, 则对令牌时限信息和权限描述信息进行校验, 若校验通过 , 则将合作渠道方接入开放平台。 通过设置合作渠道方的审核资质和安全管理 评分, 并且在合作渠道方通过授权令牌访问开放平台时, 进一步对令牌时限信 息和权限描述信息进行校验, 可以提高开放平台的接入门槛, 加强对合作渠道 方在接入开放平台后的活动的管理, 从而有效减少开放平台受到攻击等情况, 提高开放平台的稳定性。
[0056] 在一实施例中, 如图 3所示, 在步骤 S20之前, 即在根据接入请求获取合作渠道 方的审核资质和安全管理评分的步骤之前, 本实施例提供的开放平台的安全管 理方法还包括以下步骤:
[0057] S61: 基于标识获取合作渠道方在预设时间段内的用户流量。
[0058] 其中, 用户流量是指合作渠道方与开放平台发生交互时的用户数量。 可选地, 预设时间段可以根据实际需要进行设定, 这里不做具体限定, 例如是 1天内、 30 天或半年等。 可以理解的是, 通过对合作渠道方在预设时间段里的用户流量进 行统计, 可以评估合作渠道方在开放平台的重要度, 也可以判断合作渠道方的 流量是否在正常范围内, 例如是否存在用户攻击等情况。
[0059] 具体地, 服务端根据合作渠道方的标识统计合作渠道方在预设时间段内的用户 流量。 可选地, 服务端可以用监控工具对合作渠道方的用户流量进行监控, 其 中, 监控工具例如可以是 zabbix监控工具, zabbix监控工具能监视各种网络参数 , 保证开放平台的安全运营, 并提供灵活的通知机制以让开放平台的管理员快 速定位和解决存在的各种问题。
[0060] S62: 若用户流量小于第一预设流量阈值或大于第二预设流量阈值, 则基于预 设评分表将安全管理评分扣除相应分值。
[0061] 其中, 第一预设流量阈值是服务端设置的用于衡量合作渠道方是否具有与开放 平台继续合作基础的阈值, 相当于合作渠道方的准入门槛。 第二预设流量阈值 是用于判断合作渠道方的流量是否在正常范围内, 是否存在攻击等异常情况。 第一预设流量阈值和第二预设流量阈值可以根据实际需要进行具体设定, 这里 不做具体限定。 优选地, 第一预设流量阈值小于第二预设流量阈值。
[0062] 其中, 预设评分表可以根据实际需要进行设定, 此处不做限制。 例如, 预设评 分表可以设定, 若用户流量小于第一预设流量阈值, 则设定扣除 40分; 若用户 流量大于第二预设流量阈值, 则设定扣除 20分等等。 可选地, 第一预设流量阈 值和第二预设流量阈值对应的预设时间段可以不同, 例如, 第一预设流量阈值 是统计半年内用户流量, 而第二预设流量阈值则可以是统计一天内的用户流量 。 可选地, 预设评分表还可以设定对合作渠道方存在其它违反开放平台安全管 理的情况扣除相应的分值, 例如合作渠道方是否履行开放平台规定的情况。
[0063] 具体地, 服务端通过对合作渠道方的用户流量进行监控并统计, 然后将合作渠 道方的用户流量与第一预设流量阈值和第二预设流量阈值进行比较, 若用户流 量小于第一预设流量阈值, 表明合作渠道方的用户流量过小, 则按照预设评分 表扣除合作渠道方的安全管理评分的相应分值。 可选地, 在对合作渠道方扣除 安全管理评分时, 服务端可以基于合作渠道方的标识向开放平台的管理端发送 提示消息, 使开放平台的相关管理人员后续对合作渠道方进行资质审批时作为 相应的数据参考。 若用户流量大于第二预设流量阈值, 则表明合作渠道方存在 流量攻击或窃取平台数据等异常情况, 则按照预设评分表按照第二预设流量阈 值的情况扣除合作渠道方的安全管理评分的相应分值。 可选地, 服务端可以基 于合作渠道方的标识向开放平台的管理端发送提示消息, 使开放平台的管理端 对合作渠道方的异常情况进行及时处理。 例如, 将合作渠道方中的攻击开放平 台的用户的权限修改为无接入开放平台的权限, 实行安全隔离, 保证开放平台 的稳定。
[0064] 在图 3对应的实施例中, 通过基于标识获取合作渠道方在预设时间段内的用户 流量, 若用户流量小于第一预设流量阈值或大于第二预设流量阈值, 则基于预 设评分表将安全管理评分扣除相应分值。 通过对合作渠道方的用户流量进行监 控管理, 可以对合作渠道方的准入资格和安全管理情况进行评估, 加强了开放 平台的安全管理, 减少开放平台受到攻击的可能性, 提高开放平台的稳定性。
[0065] 在一实施例中, 如图 4所示, 权限描述信息包括访问时间区间和访问位置范围 , 其中, 访问时间区间是指合作渠道方可以访问开放平台的时间, 而访问位置 范围是指合作渠道方可以接入开放平台对应的 IP地址范围, 在步骤 S50中, 即若 合作渠道方通过授权令牌访问开放平台, 则对令牌时限信息和权限描述信息进 行校验, 若校验通过, 则将合作渠道方接入开放开台, 具体可以包括以下步骤
[0066] S51: 当合作渠道方通过授权令牌请求接入开放平台时, 获取授权令牌的接入 时间。
[0067] 其中, 授权令牌的接入时间是指合作渠道方在授权令牌生成后可以接入开放平 台的时间。 可选地, 授权令牌的接入时间可以通过开放平台的当前时间减去授 权令牌在服务端的生成时间得到。 例如若授权令牌的生成时间为 1月 1日, 当前 开放平台的时间为 1月 3日, 则授权令牌的接入时间为 3天。
[0068] 具体地, 当服务端获取到合作渠道方在客户端通过授权令牌接入开放平台的请 求时, 服务端获取开放平台的当前时间和授权令牌的生成时间, 并将开放平台 的当前时间减去授权令牌的生成时间, 得到授权令牌的接入时间。
[0069] S52: 若授权令牌的接入时间小于或等于预设时间阈值, 则获取合作渠道方的 当前访问时间。
[0070] 其中, 预设时间阈值是指服务端预先设置的用于限制合作渠道方接入开放平台 的时间阈值, 可选地, 预设时间阈值可以为 5天、 7天或 10天等, 具体可以根据 实际需要进行设定, 这里不做具体限定。 可选地, 服务端还可以另外设置合作 渠道方的用户的预设时间阈值, 且将合作渠道方的用户的预设时间阈值设置为 更短时间, 例如是 10分钟、 20分钟或 30分钟等。 可以理解, 由于合作渠道方的 审核资质或安全管理评分可能在预设时间阈值内发生变化, 通过设置预设时间 阈值限制合作渠道方的接入时间, 可以保证合作渠道方始终为得到开放平台的 认可的合作渠道方, 为安全的合作渠道方。 例如, 若合作渠道方在这段时间内 存在审核资质的改变, 即原来的合作渠道方的审核资质的状态从审核通过变为 审核未通过, 或者安全管理评分从达到预设分值变化为小于预设分值, 则合作 渠道方变为非法渠道方, 则服务端通过设置预设时间阈值可以使合作渠道方无 法通过原来生成的授权令牌接入开放平台, 从而实现开放平台的安全管理。
[0071] 具体地, 服务端将授权令牌的接入时间与预设时间阈值进行比较, 若授权令牌 的接入时间小于或等于预设时间阈值, 则判定令牌时限校验成功, 服务端再获 取合作渠道方的当前访问时间; 若授权令牌的接入时间大于预设时间阈值, 则 判定时效性校验失败, 服务端重新获取合作渠道方的审核资质和安全管理评分 , 根据重新获取的审核资质和安全管理评分判断是否重新生成新的授权令牌。
[0072] S53: 若当前访问时间符合访问时间区间, 则获取合作渠道方的当前访问位置 [0073] 具体地, 服务端将合作渠道方的当前访问时间与访问时间区间进行比较, 若合 作渠道方的当前访问时间在访问时间区间内, 则判定访问时间的校验成功, 则 再根据合作渠道方的 IP获取合作渠道方的当前访问位置; 若合作渠道方的当前访 问时间在访问时间区间外, 则服务端判定访问时间的校验失败, 拒绝合作渠道 方接入开放平台, 并向客户端发送相应的提示信息。
[0074] S54: 若当前访问位置在访问位置范围之内, 则将合作渠道方接入开放平台。
[0075] 具体地, 服务端将合作渠道方的当前访问位置与访问位置范围进行比较, 若合 作渠道方的当前访问位置在访问位置范围内, 则判定访问位置校验成功, 将合 作渠道方接入开放平台; 若合作渠道方的当前访问位置超出访问位置范围, 则 判定访问位置校验失败, 则拒绝合作渠道方接入开放平台, 并向客户端发送提 示信息。 例如, 若访问位置范围为广东省, 而合作渠道方的当前访问位置在湖 南省, 则服务端可以判定合作渠道方的当前访问位置超出访问位置范围。
[0076] 在图 4对应的实施例中, 当合作渠道方通过授权令牌请求接入开放平台时, 获 取授权令牌的接入时间; 若授权令牌的接入时间小于或等于预设时间阈值, 则 获取合作渠道方的当前访问时间; 若当前访问时间符合访问时间区间, 则获取 合作渠道方的当前访问位置; 若当前访问位置在访问位置范围之内, 则将合作 渠道方接入开放平台。 通过对合作渠道方的授权令牌的令牌时限信息进行校验 , 可以始终保证接入开放平台的合作渠道方为安全管理状况良好的合作渠道方 ; 通过对合作渠道方的访问时间和访问位置进行校验, 可以加强对合作渠道方 的访问管理, 提高开放平台的稳定性。
[0077] 在一实施例中, 如图 5所示, 在步骤 S50之后, 即若合作渠道方通过授权令牌访 问开放平台, 则对令牌时限信息和权限描述信息进行校验, 若校验通过, 则将 合作渠道方接入开放开台的步骤之后, 本实施例提供的开放平台的安全管理方 法还包括以下步骤:
[0078] S71: 获取合作渠道方与开放平台的交互报文。
[0079] 应理解, 合作渠道方与开放平台的交互都是经过交互报文来实现的。 由于服务 端与合作渠道方的客户端和开放平台相连接, 客户端与开放平台的报文需要经 过服务端来发送, 因此, 在合作渠道方接入开放平台后, 服务端可以获取到合 作渠道方与开放平台的交互报文。
[0080] S72: 对交互报文进行加密, 发送加密后的交互报文。
[0081] 其中, 对交互报文进行加密可以根据需要选择加密算法, 例如, 如 DES (Data Encryption Standard, 数据加密标准) 、 AES (Advanced Encryption Standard, 高 级加密标准) 、 Base64加密算法等。 可选地, 服务端选用 AES对交互报文进行加 密。
[0082] 具体地, 服务端对获取的交互报文进行加密, 再将加密后的交互报文发送至合 作渠道方的客户端或开放平台。
[0083] 在图 5对应的实施例中, 通过获取合作渠道方与开放平台的交互报文, 并对交 互报文进行加密, 再发送加密后的交互报文。 通过对交互报文进行加密, 可以 使开放平台的相关报文更加安全, 减少冒充合作渠道方或合作渠道方的用户对 开放平台进行攻击的情况, 提高开放平台的安全性。
[0084] 在一实施例中, 如图 6所示, 在步骤 S72之后, 即在对交互报文进行加密, 发送 加密后的交互报文的步骤之后, 本实施例提供的开放平台的安全管理方法还包 括以下步骤:
[0085] S81: 获取对交互报文加密的密钥标识, 通过 RSA算法对密钥标识进行加密, 得到 RSA算法对应的公钥和私钥。
[0086] 可以理解, 在服务端对交互报文进行加密时, 会产生密钥标识。 通常这个密钥 标识会根据合作渠道方在开放平台注册时预留的手机号或邮箱进行发送, 或者 直接发送至合作渠道方的客户端。 为了进一步加强合作渠道方的安全接入和管 理, 本实施例采用 RSA算法对产生的密钥标识进行加密, 得到 RSA算法对应的公 钥和私钥。 其中, RSA算法是一种非对称加密算法, 通常是首先生成一对 RSA密 钥, 其中之一是保密密钥, 即私钥, 由用户保存; 另一个为公开密钥, 即公钥 , 可对外公开。 为提高保密强度, RSA私钥至少为 500位长, 可选地, 本实施例 的 RSA私钥使用 1024位。
[0087] S82: 将公钥发送至客户端, 并根据标识获取合作渠道方的预设接收方式。
[0088] 由于公钥可对外公开, 因此服务端可以将公钥直接发送至合作渠道方的客户端 。 然后, 服务端根据合作渠道方的标识获取合作渠道方的预设接收方式。 其中 , 预设接收方式可以根据实际需要进行设定, 例如将合作渠道方指定的邮箱或 指定的手机号等作为预设接收方式。 应当说明的是, 预设接收方式与合作渠道 方在开放平台预留的邮箱或手机号等可以不同, 但应设置为线下发送, 即与公 钥的线上发送至客户端的方式不同, 通过线下发送可以更加保证密钥标识和私 钥的安全性。
[0089] S83: 基于预设接收方式发送私钥, 以使合作渠道方通过公钥和私钥查看交互 报文。
[0090] 具体地, 服务端通过获取的合作渠道方的预设接收方式将私钥发送给合作渠道 方, 以使合作渠道方通过 RSA算法的公钥和私钥获得密钥标识, 再通过得到的密 钥标识查看与开放平台的交互报文。
[0091] 在图 6对应的实施例中, 通过获取对交互报文加密的密钥标识, 通过 RSA算法 对密钥标识进行加密, 得到 RSA算法对应的公钥和私钥; 然后将公钥发送至客户 端, 并根据标识获取合作渠道方的预设接收方式; 最后基于预设接收方式发送 私钥, 以使合作渠道方通过公钥和私钥查看交互报文。 通过 RSA算法对交互报文 加密的密钥标识作进一步加密, 可以进一步保证合作渠道方与开放平台的交互 安全, 提高开放平台的稳定性。
[0092] 应理解, 上述实施例中各步骤的序号的大小并不意味着执行顺序的先后, 各过 程的执行顺序应以其功能和内在逻辑确定, 而不应对本申请实施例的实施过程 构成任何限定。
[0093]
[0094] 在一实施例中, 提供一种开放平台的安全管理装置, 该开放平台的安全管理装 置与上述实施例中开放平台的安全管理方法一一对应。 如图 7所示, 该开放平台 的安全管理装置包括接入请求获取模块 10、 资质评分获取模块 20、 授权令牌生 成模块 30、 授权令牌发送模块 40和授权信息校验模块 50。 各功能模块详细说明 如下:
[0095] 接入请求获取模块 10, 用于获取合作渠道方的接入请求, 所述接入请求包括所 述合作渠道方的标识; [0096] 资质评分获取模块 20, 用于根据所述接入请求获取所述合作渠道方的审核资质 和安全管理评分;
[0097] 授权令牌生成模块 30, 用于在所述审核资质为审核通过状态且所述安全管理评 分达到预设评分时, 则根据所述标识生成授权令牌;
[0098] 授权令牌发送模块 40, 用于将所述授权令牌发送至客户端, 以使所述合作渠道 方通过所述授权令牌接入开放平台;
[0099] 授权信息校验模块 50, 用于当合作渠道方通过授权令牌访问开放平台时, 对令 牌时限信息和权限描述信息进行校验, 当校验通过时, 将合作渠道方接入开放 开台。
[0100] 进一步地, 如图 8所示, 本实施例提供的开放平台的安全管理装置还包括安全 管理评分模块 50, 其中, 安全管理评分模块 50包括用户流量获取单元 51和安全 分值扣除单元 52。
[0101] 用户流量获取单元 51, 用于基于标识获取合作渠道方在预设时间段内的用户流 量;
[0102] 安全分值扣除单元 52, 用于在用户流量小于第一预设流量阈值或大于第二预设 流量阈值时, 则基于预设评分表将安全管理评分扣除相应分值。
[0103] 进一步地, 如图 9所示, 权限描述信息包括访问时间区间和访问位置范围; 授 权信息校验模块 50包括接入时间获取单元 51、 接入时间校验单元 52、 访问时间 校验单元 53和访问位置校验单元 54。
[0104] 接入时间获取单元 51, 用于当合作渠道方通过授权令牌请求接入开放平台时, 获取授权令牌的接入时间;
[0105] 接入时间校验单元 52, 用于当授权令牌的接入时间小于或等于预设时间阈值时 , 获取合作渠道方的当前访问时间;
[0106] 访问时间校验单元 53 , 用于当当前访问时间符合访问时间区间时, 获取合作渠 道方的当前访问位置;
[0107] 访问位置校验单元 54, 用于当当前访问位置在访问位置范围之内时, 将合作渠 道方接入开放平台。
[0108] 进一步地, 本实施例提供的开放平台的安全管理装置还包括交互报文加密模块 , 其中, 交互报文加密模块用于:
[0109] 获取合作渠道方与开放平台的交互报文;
[0110] 对交互报文进行加密, 发送加密后的交互报文。
[0111] 进一步地, 本实施例提供的开放平台的安全管理装置还包括密钥标识加密模块 , 其中, 密钥标识加密模块用于:
[0112] 获取对交互报文加密的密钥标识, 通过 RSA算法对密钥标识进行加密, 得到 RS A算法对应的公钥和私钥;
[0113] 将公钥发送至客户端, 并根据标识获取合作渠道方的预设接收方式;
[0114] 基于预设接收方式发送私钥, 以使合作渠道方通过公钥和私钥查看交互报文。
[0115] 关于开放平台的安全管理装置的具体限定可以参见上文中对于开放平台的安全 管理方法的限定, 在此不再赘述。 上述开放平台的安全管理装置中的各个模块 可全部或部分通过软件、 硬件及其组合来实现。 上述各模块可以硬件形式内嵌 于或独立于计算机设备中的处理器中, 也可以以软件形式存储于计算机设备中 的存储器中, 以便于处理器调用执行以上各个模块对应的操作。
[0116]
[0117] 在一个实施例中, 提供了一种计算机设备, 该计算机设备可以是服务器, 其内 部结构图可以如图 10所示。 该计算机设备包括通过系统总线连接的处理器、 存 储器、 网络接口和数据库。 其中, 该计算机设备的处理器用于提供计算和控制 能力。 该计算机设备的存储器包括非易失性存储介质、 内存储器。 该非易失性 存储介质存储有操作系统、 计算机可读指令和数据库。 该内存储器为非易失性 存储介质中的操作系统和计算机可读指令的运行提供环境。 该计算机设备的数 据库用于存储标识、 审核资质、 安全管理评分和授权令牌等。 该计算机设备的 网络接口用于与外部的终端通过网络连接通信。 该计算机可读指令被处理器执 行时以实现一种开放平台的安全管理方法。
[0118] 在一个实施例中, 提供了一种计算机设备, 包括存储器、 处理器及存储在存储 器上并可在处理器上运行的计算机可读指令, 处理器执行计算机可读指令时实 现以下步骤:
[0119] 获取合作渠道方的接入请求, 接入请求包括合作渠道方的标识; [0120] 根据接入请求获取合作渠道方的审核资质和安全管理评分;
[0121] 若审核资质为审核通过状态且安全管理评分达到预设评分, 则根据标识生成授 权令牌和与安全管理评分相应的授权信息, 授权信息包括令牌时限信息和权限 描述信息;
[0122] 将授权令牌发送至客户端;
[0123] 若合作渠道方通过授权令牌访问开放平台, 则对令牌时限信息和权限描述信息 进行校验, 若校验通过, 则将合作渠道方接入开放开台。
[0124] 在一个实施例中, 提供了一个或多个存储有计算机可读指令的非易失性可读存 储介质, 所述计算机可读指令被一个或多个处理器执行时, 使得所述一个或多 个处理器执行如下步骤:
[0125] 获取合作渠道方的接入请求, 接入请求包括合作渠道方的标识;
[0126] 根据接入请求获取合作渠道方的审核资质和安全管理评分;
[0127] 若审核资质为审核通过状态且安全管理评分达到预设评分, 则根据标识生成授 权令牌和与安全管理评分相应的授权信息, 授权信息包括令牌时限信息和权限 描述信息;
[0128] 将授权令牌发送至客户端;
[0129] 若合作渠道方通过授权令牌访问开放平台, 则对令牌时限信息和权限描述信息 进行校验, 若校验通过, 则将合作渠道方接入开放开台。
[0130] 本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程, 是可 以通过计算机可读指令来指令相关的硬件来完成, 所述的计算机可读指令可存 储于一非易失性计算机可读取存储介质中, 该计算机可读指令在执行时, 可包 括如上述各方法的实施例的流程。 其中, 本申请所提供的各实施例中所使用的 对存储器、 存储、 数据库或其它介质的任何引用, 均可包括非易失性和 /或易失 性存储器。 非易失性存储器可包括只读存储器 (ROM) 、 可编程 ROM (PROM ) 、 电可编程 ROM (EPROM) 、 电可擦除可编程 ROM (EEPROM) 或闪存。 易失性存储器可包括随机存取存储器 (RAM) 或者外部高速缓冲存储器。 作为 说明而非局限, RAM以多种形式可得, 诸如静态 RAM (SRAM) 、 动态 RAM ( DRAM) 、 同步 DRAM (SDRAM) 、 双数据率 SDRAM (DDRSDRAM) 、 增强 型 SDRAM (ESDRAM) 、 同步链路 (Synchlink) DRAM (SLDRAM) 、 存储 器总线 (Rambus) 直接 RAM (RDRAM) 、 直接存储器总线动态 RAM (DRDR AM) 、 以及存储器总线动态 RAM (RDRAM) 等。
[0131] 所属领域的技术人员可以清楚地了解到, 为了描述的方便和简洁, 仅以上述各 功能单元、 模块的划分进行举例说明, 实际应用中, 可以根据需要而将上述功 能分配由不同的功能单元、 模块完成, 即将所述装置的内部结构划分成不同的 功能单元或模块, 以完成以上描述的全部或者部分功能。
[0132] 以上所述实施例仅用以说明本申请的技术方案, 而非对其限制; 尽管参照前述 实施例对本申请进行了详细的说明, 本领域的普通技术人员应当理解: 其依然 可以对前述各实施例所记载的技术方案进行修改, 或者对其中部分技术特征进 行等同替换; 而这些修改或者替换, 并不使相应技术方案的本质脱离本申请各 实施例技术方案的精神和范围, 均应包含在本申请的保护范围之内。
发明概述
技术问题
问题的解决方案
发明的有益效果

Claims

权利要求书
[权利要求 i] 一种开放平台的安全管理方法, 其特征在于, 包括:
获取合作渠道方的接入请求, 所述接入请求包括所述合作渠道方的标 识;
根据所述接入请求获取所述合作渠道方的审核资质和安全管理评分; 若所述审核资质为审核通过状态且所述安全管理评分达到预设评分, 则根据所述标识生成授权令牌和与所述安全管理评分相应的授权信息 , 所述授权信息包括令牌时限信息和权限描述信息;
将所述授权令牌发送至客户端;
若所述合作渠道方通过所述授权令牌访问开放平台, 则对所述令牌时 限信息和所述权限描述信息进行校验, 若校验通过, 则将所述合作渠 道方接入所述开放开台。
[权利要求 2] 如权利要求 1所述的开放平台的安全管理方法, 其特征在于, 在所述 根据所述接入请求获取所述合作渠道方的审核资质和安全管理评分之 前, 所述开放平台的安全管理方法还包括:
基于所述标识获取所述合作渠道方在预设时间段内的用户流量; 若所述用户流量小于第一预设流量阈值或大于第二预设流量阈值, 则 基于预设评分表将所述安全管理评分扣除相应分值。
[权利要求 3] 如权利要求 1所述的开放平台的安全管理方法, 其特征在于, 所述权 限描述信息包括访问时间区间和访问位置范围; 所述若所述合作渠道方通过所述授权令牌访问开放平台, 则对所述令 牌时限信息和所述权限描述信息进行校验, 若校验通过, 则将所述合 作渠道方接入所述开放开台, 包括:
当所述合作渠道方通过所述授权令牌请求接入所述开放平台时, 获取 所述授权令牌的接入时间;
若所述授权令牌的接入时间小于或等于预设时间阈值, 则获取所述合 作渠道方的当前访问时间;
若所述当前访问时间符合所述访问时间区间, 则获取所述合作渠道方 的当前访问位置;
若所述当前访问位置在所述访问位置范围之内, 则将所述合作渠道方 接入所述开放平台。
[权利要求 4] 如权利要求 1-3任一项所述的开放平台的安全管理方法, 其特征在于
, 在所述若所述合作渠道方通过所述授权令牌访问开放平台, 则对所 述令牌时限信息和所述权限描述信息进行校验, 若校验通过, 则将所 述合作渠道方接入所述开放开台之后, 所述开放平台的安全管理方法 还包括:
获取所述合作渠道方与所述开放平台的交互报文; 对所述交互报文进行加密, 发送加密后的所述交互报文。
[权利要求 5] 如权利要求 4所述的开放平台的安全管理方法, 其特征在于, 在所述 对所述交互报文进行加密, 发送加密后的所述交互报文之后, 所述开 放平台的安全管理方法还包括:
获取对所述交互报文加密的密钥标识, 通过 RSA算法对所述密钥标识 进行加密, 得到 RSA算法对应的公钥和私钥;
将所述公钥发送至所述客户端, 并根据所述标识获取所述合作渠道方 的预设接收方式;
基于所述预设接收方式发送所述私钥, 以使所述合作渠道方通过所述 公钥和所述私钥查看所述交互报文。
[权利要求 6] —种开放平台的安全管理装置, 其特征在于, 包括:
接入请求获取模块, 用于获取合作渠道方的接入请求, 所述接入请求 包括所述合作渠道方的标识;
资质评分获取模块, 用于根据所述接入请求获取所述合作渠道方的审 核资质和安全管理评分;
授权令牌生成模块, 用于在所述审核资质为审核通过状态且所述安全 管理评分达到预设评分时, 则根据所述标识生成授权令牌和与所述安 全管理评分相应的授权信息, 所述授权信息包括令牌时限信息和权限 描述信息; 授权令牌发送模块, 用于将所述授权令牌发送至客户端; 授权信息校验模块, 用于当所述合作渠道方通过所述授权令牌访问开 放平台时, 对所述令牌时限信息和所述权限描述信息进行校验, 当校 验通过时, 将所述合作渠道方接入所述开放开台。
[权利要求 7] 如权利要求 6所述的开放平台的安全管理装置, 其特征在于, 所述开 放平台的安全管理装置还包括安全管理评分模块, 所述安全管理评分 模块包括用户流量获取单元和安全分值扣除单元; 所述用户流量获取单元, 用于基于所述标识获取所述合作渠道方在预 设时间段内的用户流量;
所述安全分值扣除单元, 用于在所述用户流量小于第一预设流量阈值 或大于第二预设流量阈值时, 则基于预设评分表将所述安全管理评分 扣除相应分值。
[权利要求 8] 如权利要求 6所述的开放平台的安全管理装置, 其特征在于, 所述权 限描述信息包括访问时间区间和访问位置范围; 所述授权信息校验模块包括接入时间获取单元、 接入时间校验单元、 访问时间校验单元和访问位置校验单元;
所述接入时间获取单元, 用于当所述合作渠道方通过所述授权令牌请 求接入所述开放平台时, 获取所述授权令牌的接入时间;
所述接入时间校验单元, 用于当所述授权令牌的接入时间小于或等于 预设时间阈值时, 获取所述合作渠道方的当前访问时间;
所述访问时间校验单元, 用于当所述当前访问时间符合所述访问时间 区间时, 获取所述合作渠道方的当前访问位置; 所述访问位置校验单元, 用于当所述当前访问位置在所述访问位置范 围之内时, 将所述合作渠道方接入所述开放平台。
[权利要求 9] 如权利要求 6-8任一项所述的开放平台的安全管理装置, 其特征在于
, 所述开放平台的安全管理装置还包括交互报文加密模块; 所述交互报文加密模块用于获取合作渠道方与开放平台的交互报文; 对交互报文进行加密, 发送加密后的交互报文。
[权利要求 10] 如权利要求 9所述的开放平台的安全管理装置, 其特征在于, 所述开 放平台的安全管理装置还包括密钥标识加密模块; 所述密钥标识加密模块用于获取对交互报文加密的密钥标识, 通过 R SA算法对密钥标识进行加密, 得到 RSA算法对应的公钥和私钥; 将 公钥发送至客户端, 并根据标识获取合作渠道方的预设接收方式; 基 于预设接收方式发送私钥, 以使合作渠道方通过公钥和私钥查看交互 报文。
[权利要求 11] 一种计算机设备, 包括存储器、 处理器以及存储在所述存储器中并可 在所述处理器上运行的计算机可读指令, 其特征在于, 所述处理器执 行所述计算机可读指令时实现如下步骤:
获取合作渠道方的接入请求, 所述接入请求包括所述合作渠道方的标 识;
根据所述接入请求获取所述合作渠道方的审核资质和安全管理评分; 若所述审核资质为审核通过状态且所述安全管理评分达到预设评分, 则根据所述标识生成授权令牌和与所述安全管理评分相应的授权信息 , 所述授权信息包括令牌时限信息和权限描述信息;
将所述授权令牌发送至客户端;
若所述合作渠道方通过所述授权令牌访问开放平台, 则对所述令牌时 限信息和所述权限描述信息进行校验, 若校验通过, 则将所述合作渠 道方接入所述开放开台。
[权利要求 12] 如权利要求 11所述的计算机设备, 其特征在于, 在所述根据所述接入 请求获取所述合作渠道方的审核资质和安全管理评分之前, 所述处理 器执行所述计算机可读指令时还实现如下步骤: 基于所述标识获取所述合作渠道方在预设时间段内的用户流量; 若所述用户流量小于第一预设流量阈值或大于第二预设流量阈值, 则 基于预设评分表将所述安全管理评分扣除相应分值。
[权利要求 13] 如权利要求 11所述的计算机设备, 其特征在于, 所述权限描述信息包 括访问时间区间和访问位置范围; 所述若所述合作渠道方通过所述授权令牌访问开放平台, 则对所述令 牌时限信息和所述权限描述信息进行校验, 若校验通过, 则将所述合 作渠道方接入所述开放开台, 包括:
当所述合作渠道方通过所述授权令牌请求接入所述开放平台时, 获取 所述授权令牌的接入时间;
若所述授权令牌的接入时间小于或等于预设时间阈值, 则获取所述合 作渠道方的当前访问时间;
若所述当前访问时间符合所述访问时间区间, 则获取所述合作渠道方 的当前访问位置;
若所述当前访问位置在所述访问位置范围之内, 则将所述合作渠道方 接入所述开放平台。
[权利要求 14] 如权利要求 11-13任一项所述的计算机设备, 其特征在于, 在所述若 所述合作渠道方通过所述授权令牌访问开放平台, 则对所述令牌时限 信息和所述权限描述信息进行校验, 若校验通过, 则将所述合作渠道 方接入所述开放开台之后, 所述处理器执行所述计算机可读指令时还 实现如下步骤:
获取所述合作渠道方与所述开放平台的交互报文; 对所述交互报文进行加密, 发送加密后的所述交互报文。
[权利要求 15] 如权利要求 14所述的计算机设备, 其特征在于, 在所述对所述交互报 文进行加密, 发送加密后的所述交互报文之后, 所述处理器执行所述 计算机可读指令时还实现如下步骤:
获取对所述交互报文加密的密钥标识, 通过 RSA算法对所述密钥标识 进行加密, 得到 RSA算法对应的公钥和私钥;
将所述公钥发送至所述客户端, 并根据所述标识获取所述合作渠道方 的预设接收方式;
基于所述预设接收方式发送所述私钥, 以使所述合作渠道方通过所述 公钥和所述私钥查看所述交互报文。
[权利要求 16] —个或多个存储有计算机可读指令的非易失性可读存储介质, 所述计 算机可读指令被一个或多个处理器执行时, 使得所述一个或多个处理 器执行如下步骤:
获取合作渠道方的接入请求, 所述接入请求包括所述合作渠道方的标 识;
根据所述接入请求获取所述合作渠道方的审核资质和安全管理评分; 若所述审核资质为审核通过状态且所述安全管理评分达到预设评分, 则根据所述标识生成授权令牌和与所述安全管理评分相应的授权信息 , 所述授权信息包括令牌时限信息和权限描述信息;
将所述授权令牌发送至客户端;
若所述合作渠道方通过所述授权令牌访问开放平台, 则对所述令牌时 限信息和所述权限描述信息进行校验, 若校验通过, 则将所述合作渠 道方接入所述开放开台。
[权利要求 17] 如权利要求 16所述的非易失性可读存储介质, 其特征在于, 在所述根 据所述接入请求获取所述合作渠道方的审核资质和安全管理评分之前 , 所述计算机可读指令被一个或多个处理器执行时, 使得所述一个或 多个处理器还执行如下步骤:
基于所述标识获取所述合作渠道方在预设时间段内的用户流量; 若所述用户流量小于第一预设流量阈值或大于第二预设流量阈值, 则 基于预设评分表将所述安全管理评分扣除相应分值。
[权利要求 18] 如权利要求 16所述的非易失性可读存储介质, 其特征在于, 所述权限 描述信息包括访问时间区间和访问位置范围;
所述若所述合作渠道方通过所述授权令牌访问开放平台, 则对所述令 牌时限信息和所述权限描述信息进行校验, 若校验通过, 则将所述合 作渠道方接入所述开放开台, 包括:
当所述合作渠道方通过所述授权令牌请求接入所述开放平台时, 获取 所述授权令牌的接入时间;
若所述授权令牌的接入时间小于或等于预设时间阈值, 则获取所述合 作渠道方的当前访问时间; 若所述当前访问时间符合所述访问时间区间, 则获取所述合作渠道方 的当前访问位置;
若所述当前访问位置在所述访问位置范围之内, 则将所述合作渠道方 接入所述开放平台。
[权利要求 19] 如权利要求 16-18任一项所述的非易失性可读存储介质, 其特征在于
, 在所述若所述合作渠道方通过所述授权令牌访问开放平台, 则对所 述令牌时限信息和所述权限描述信息进行校验, 若校验通过, 则将所 述合作渠道方接入所述开放开台之后, 所述计算机可读指令被一个或 多个处理器执行时, 使得所述一个或多个处理器还执行如下步骤: 获取所述合作渠道方与所述开放平台的交互报文; 对所述交互报文进行加密, 发送加密后的所述交互报文。
[权利要求 20] 如权利要求 19所述的非易失性可读存储介质, 其特征在于, 在所述对 所述交互报文进行加密, 发送加密后的所述交互报文之后, 所述计算 机可读指令被一个或多个处理器执行时, 使得所述一个或多个处理器 还执行如下步骤:
获取对所述交互报文加密的密钥标识, 通过 RSA算法对所述密钥标识 进行加密, 得到 RSA算法对应的公钥和私钥;
将所述公钥发送至所述客户端, 并根据所述标识获取所述合作渠道方 的预设接收方式;
基于所述预设接收方式发送所述私钥, 以使所述合作渠道方通过所述 公钥和所述私钥查看所述交互报文。
PCT/CN2019/103517 2019-04-16 2019-08-30 开放平台的安全管理方法、装置、计算机设备及存储介质 WO2020211252A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910305905.2A CN110175466B (zh) 2019-04-16 2019-04-16 开放平台的安全管理方法、装置、计算机设备及存储介质
CN201910305905.2 2019-04-16

Publications (1)

Publication Number Publication Date
WO2020211252A1 true WO2020211252A1 (zh) 2020-10-22

Family

ID=67689933

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/103517 WO2020211252A1 (zh) 2019-04-16 2019-08-30 开放平台的安全管理方法、装置、计算机设备及存储介质

Country Status (2)

Country Link
CN (1) CN110175466B (zh)
WO (1) WO2020211252A1 (zh)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110175466B (zh) * 2019-04-16 2024-03-08 平安科技(深圳)有限公司 开放平台的安全管理方法、装置、计算机设备及存储介质
CN110519380B (zh) * 2019-08-29 2022-06-21 北京旷视科技有限公司 一种数据访问方法、装置、存储介质及电子设备
CN111800382B (zh) * 2020-05-28 2024-04-05 中国平安财产保险股份有限公司 合作系统对接方法、装置、系统及计算机可读存储介质
CN111639327A (zh) * 2020-05-29 2020-09-08 深圳前海微众银行股份有限公司 一种开放平台的认证方法及装置
CN111698312B (zh) * 2020-06-08 2022-10-21 中国建设银行股份有限公司 基于开放平台的业务处理方法、装置、设备和存储介质
CN112464175A (zh) * 2020-11-11 2021-03-09 中国建设银行股份有限公司 脚本审核执行方法、系统、设备和存储介质
CN112804242B (zh) * 2021-01-25 2022-09-13 蔡世泳 一种无感知自动发现的api安全管理系统及方法
CN114124885A (zh) * 2021-11-08 2022-03-01 北京天融信网络安全技术有限公司 实现网络地址自动转换的方法及设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070043684A1 (en) * 2005-08-18 2007-02-22 Fargo Electronics, Inc. Central Management of a Credential Production System
CN106506494A (zh) * 2016-10-27 2017-03-15 上海斐讯数据通信技术有限公司 一种开放平台的应用接入方法
CN106534175A (zh) * 2016-12-07 2017-03-22 西安电子科技大学 基于OAuth协议的开放平台授权认证系统及方法
CN107332861A (zh) * 2017-08-11 2017-11-07 杭州亿方云网络科技有限公司 一种基于OAuth协议的开放平台架构系统
CN110175466A (zh) * 2019-04-16 2019-08-27 平安科技(深圳)有限公司 开放平台的安全管理方法、装置、计算机设备及存储介质

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067338B (zh) * 2011-10-20 2017-04-19 上海贝尔股份有限公司 第三方应用的集中式安全管理方法和系统及相应通信系统
CN103455559B (zh) * 2011-12-27 2016-11-16 北京奇虎科技有限公司 一种应用自动推荐的方法及装置
CN103685193B (zh) * 2012-09-20 2018-01-30 腾讯科技(深圳)有限公司 一种第三方应用接入开放平台的方法及开放平台接入系统
CN104518954B (zh) * 2013-09-30 2018-11-16 腾讯科技(深圳)有限公司 信息发送方法、装置和开放平台
CN104113549B (zh) * 2014-07-28 2017-07-18 百度在线网络技术(北京)有限公司 一种平台授权方法、平台服务端及应用客户端和系统
WO2016044308A1 (en) * 2014-09-15 2016-03-24 PerimeterX, Inc. Analyzing client application behavior to detect anomalies and prevent access
CN105306534B (zh) * 2015-09-21 2019-05-14 拉扎斯网络科技(上海)有限公司 一种基于开放平台的信息校验方法和开放平台
CN105827643A (zh) * 2016-05-17 2016-08-03 世纪禾光科技发展(北京)有限公司 开放平台管理系统及方法
CN108255874A (zh) * 2016-12-29 2018-07-06 百度在线网络技术(北京)有限公司 一种用于提供开放api搜索结果的方法与设备
CN110097448A (zh) * 2019-03-19 2019-08-06 平安普惠企业管理有限公司 基于开放平台的渠道方接入方法、装置、设备及存储介质

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070043684A1 (en) * 2005-08-18 2007-02-22 Fargo Electronics, Inc. Central Management of a Credential Production System
CN106506494A (zh) * 2016-10-27 2017-03-15 上海斐讯数据通信技术有限公司 一种开放平台的应用接入方法
CN106534175A (zh) * 2016-12-07 2017-03-22 西安电子科技大学 基于OAuth协议的开放平台授权认证系统及方法
CN107332861A (zh) * 2017-08-11 2017-11-07 杭州亿方云网络科技有限公司 一种基于OAuth协议的开放平台架构系统
CN110175466A (zh) * 2019-04-16 2019-08-27 平安科技(深圳)有限公司 开放平台的安全管理方法、装置、计算机设备及存储介质

Also Published As

Publication number Publication date
CN110175466A (zh) 2019-08-27
CN110175466B (zh) 2024-03-08

Similar Documents

Publication Publication Date Title
WO2020211252A1 (zh) 开放平台的安全管理方法、装置、计算机设备及存储介质
US11558381B2 (en) Out-of-band authentication based on secure channel to trusted execution environment on client device
US9350536B2 (en) Cloud key management system
US9166966B2 (en) Apparatus and method for handling transaction tokens
CN106888084B (zh) 一种量子堡垒机系统及其认证方法
US8572686B2 (en) Method and apparatus for object transaction session validation
CN111429254A (zh) 一种业务数据处理方法、设备以及可读存储介质
US20100268942A1 (en) Systems and Methods for Using Cryptographic Keys
US8806602B2 (en) Apparatus and method for performing end-to-end encryption
CN106789059B (zh) 一种基于可信计算的远程双向访问控制系统及方法
US8752157B2 (en) Method and apparatus for third party session validation
US8572690B2 (en) Apparatus and method for performing session validation to access confidential resources
CN112632574A (zh) 基于联盟链的多机构数据处理方法、装置及相关设备
WO2010115607A1 (en) Secure data system
US10333707B1 (en) Systems and methods for user authentication
US8572724B2 (en) Method and apparatus for network session validation
US11245684B2 (en) User enrollment and authentication across providers having trusted authentication and identity management services
CN107196957A (zh) 一种分布式身份认证方法及系统
US8572688B2 (en) Method and apparatus for session validation to access third party resources
US8584201B2 (en) Method and apparatus for session validation to access from uncontrolled devices
US8726340B2 (en) Apparatus and method for expert decisioning
CN118569992B (zh) 一种隐私数据交易方法
US20240048551A1 (en) Computer access control using registration and communication secrets
US8572687B2 (en) Apparatus and method for performing session validation
CN113271306B (zh) 数据请求、发送方法、设备以及系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19925129

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19925129

Country of ref document: EP

Kind code of ref document: A1