WO2022095730A1 - 业务通信方法、系统、装置及电子设备 - Google Patents
业务通信方法、系统、装置及电子设备 Download PDFInfo
- Publication number
- WO2022095730A1 WO2022095730A1 PCT/CN2021/125653 CN2021125653W WO2022095730A1 WO 2022095730 A1 WO2022095730 A1 WO 2022095730A1 CN 2021125653 W CN2021125653 W CN 2021125653W WO 2022095730 A1 WO2022095730 A1 WO 2022095730A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- service
- access process
- service access
- verification processing
- information
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 821
- 238000004891 communication Methods 0.000 title claims abstract description 165
- 230000008569 process Effects 0.000 claims abstract description 754
- 238000012795 verification Methods 0.000 claims abstract description 414
- 238000012545 processing Methods 0.000 claims abstract description 328
- 230000001360 synchronised effect Effects 0.000 claims abstract description 88
- 238000003860 storage Methods 0.000 claims abstract description 16
- 238000004590 computer program Methods 0.000 claims abstract description 11
- 230000004044 response Effects 0.000 claims description 45
- 230000015654 memory Effects 0.000 claims description 28
- 238000010586 diagram Methods 0.000 description 35
- 238000004422 calculation algorithm Methods 0.000 description 16
- 238000013475 authorization Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 9
- 238000009434 installation Methods 0.000 description 9
- 235000019580 granularity Nutrition 0.000 description 6
- 241000700605 Viruses Species 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000010200 validation analysis Methods 0.000 description 4
- 230000000903 blocking effect Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000002708 enhancing effect Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 244000248349 Citrus limon Species 0.000 description 2
- 235000005979 Citrus limon Nutrition 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/12—Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
Definitions
- the present application relates to communication technologies, and in particular, to a business communication method, system, apparatus, electronic device, computer-readable storage medium, and computer program product.
- an interface call often occurs, for example, a process of a terminal device calls the interface of another process of the terminal device, or a process of the terminal device calls the interface of the process of the server.
- the purpose of an interface call is to implement business communication, such as sending or requesting specific data.
- the embodiment of the present application provides a service communication method, including:
- the communication connection with the service access process for carrying the encrypted service communication is controlled.
- An embodiment of the present application provides a service communication system, including a service access client, a security client, and a security server; wherein, the service access client runs a service access process;
- the security client for:
- the communication connection with the service access process for carrying the encrypted service communication is controlled.
- An embodiment of the present application provides a service communication device, including:
- a receiving module configured to receive an authentication request sent by the service access process
- a verification module configured to perform synchronous verification processing on the service access process, and perform asynchronous verification processing on the service access process
- a determining module configured to determine the service key information allocated to the service access process according to the synchronous verification processing result of the service access process
- a sending module configured to send the service key information to the service access process, so as to perform encrypted service communication with the service access process based on the service key information
- the connection control module is configured to control the communication connection with the service access process for carrying the encrypted service communication according to the asynchronous verification processing result of the service access process.
- the embodiment of the present application provides an electronic device, including:
- the processor is configured to implement the service communication method provided by the embodiment of the present application when executing the executable instructions stored in the memory.
- the embodiments of the present application provide a computer-readable storage medium storing executable instructions for implementing the service communication method provided by the embodiments of the present application when a processor is executed.
- the embodiments of the present application provide a computer program product, including executable instructions, which implement the service communication method provided by the embodiments of the present application when the executable instructions are executed by a processor.
- FIG. 1 is a schematic structural diagram of a service communication system provided by an embodiment of the present application.
- FIG. 2 is a schematic structural diagram of a business communication system combined with a blockchain network provided by an embodiment of the present application;
- FIG. 3 is a schematic structural diagram of a terminal device provided by an embodiment of the present application.
- 4A is a schematic flowchart of a service communication method provided by an embodiment of the present application.
- 4B is a schematic flowchart of a service communication method provided by an embodiment of the present application.
- 4C is a schematic flowchart of a service communication method provided by an embodiment of the present application.
- 4D is a schematic flowchart of a service communication method provided by an embodiment of the present application.
- 4E is a schematic flowchart of a service communication method provided by an embodiment of the present application.
- FIG. 5 is a schematic diagram of a policy management interface of a security management terminal provided by an embodiment of the present application.
- FIG. 6 is a schematic diagram of process information provided by an embodiment of the present application.
- FIG. 7 is a schematic diagram of a zero-trust gateway interface of a security management terminal provided by an embodiment of the present application.
- FIG. 8 is a schematic diagram of a configuration interface of a zero-trust gateway provided by an embodiment of the present application.
- FIG. 9 is a schematic diagram of a service system interface of a security management terminal provided by an embodiment of the present application.
- FIG. 10 is a schematic diagram of a configuration interface of a business system provided by an embodiment of the present application.
- FIG. 11 is a schematic diagram of a configuration interface of a business system provided by an embodiment of the present application.
- FIG. 12 is a schematic diagram of a configuration interface of a business system provided by an embodiment of the present application.
- FIG. 13 is a schematic diagram of a policy management interface of a security management terminal provided by an embodiment of the present application.
- FIG. 14 is a schematic diagram of a security client interface provided by an embodiment of the present application.
- 15 is a schematic diagram of a security client interface provided by an embodiment of the present application.
- 16 is a schematic diagram of a security client interface provided by an embodiment of the present application.
- 17 is a schematic diagram of an access process provided by an embodiment of the present application.
- FIG. 18 is a schematic diagram of an access process provided by an embodiment of the present application.
- FIG. 19 is a schematic diagram of cascaded deployment of security servers provided by an embodiment of the present application.
- FIG. 20 is a schematic diagram of an asynchronous verification process provided by an embodiment of the present application.
- first ⁇ second ⁇ third is only used to distinguish similar objects, and does not represent a specific ordering of objects. It is understood that “first ⁇ second ⁇ third” Where permitted, the specific order or sequence may be interchanged to enable the embodiments of the application described herein to be practiced in sequences other than those illustrated or described herein. In the following description, reference to the term “plurality” refers to at least two.
- Service access process refers to the process as the caller.
- the embodiment of this application does not limit the type of the service access process.
- the service access process may be an application process (such as a process of a certain conference application), or It is a process specially used to proxy the business request of the application process.
- Synchronous verification processing It is necessary to wait for the completion of the synchronous verification processing, that is, when the synchronous verification processing result is obtained, before other steps can be performed.
- the synchronous verification processing of the service access process and the synchronous verification processing of the application process are involved. For example, the determination as The steps of the service key information allocated by the service access process.
- Asynchronous verification processing During the asynchronous verification processing, other steps may be performed. In the embodiment of this application, the asynchronous verification processing of the service access process and the synchronous verification processing of the application process are involved. For example, during the asynchronous verification processing of the service access process, the Encrypt business communications.
- Service key information used for encrypted service communication, the service key information at least includes a key, and may also include information such as a key identifier.
- Signature information generally refers to information related to digital signature (Digital Signature), for example, it may include the digital signature itself and certificate information.
- Hash Convert an input of any length into a fixed-length output through a hash algorithm (also called hashing), and the output is the Hash value (also called the Hash result), so that the obtained value can be obtained by Hash value to identify the input.
- Hash algorithms include message digest (Message-Digest, MD) algorithm and secure hash algorithm (Secure Hash Algorithm, SHA) and so on.
- Symmetric key means that the party sending the data and the party receiving the data use the same key to perform encryption processing and decryption processing.
- the embodiment of this application does not limit the generation method of the symmetric key.
- Advanced Encryption Standard, AES Advanced Encryption Standard
- Asymmetric key pair including public key and private key, the party sending the data encrypts the data through the public key, and the party receiving the data decrypts the encrypted data through the private key, or it can also use the private key.
- the key is used to encrypt the data
- the public key is used to decrypt the encrypted data.
- Service gateway used to forward the received service request to the corresponding service server, so as to realize the proxy of the service request.
- the service gateway may be implemented in a software form, or may be implemented in a hardware form.
- Service server a server for providing service resources.
- the background server of the conference application is the service server, which is used to provide data support for the networking operation of the conference application.
- Blockchain The storage structure of encrypted, chained transactions formed by blocks.
- Blockchain Network A collection of nodes that incorporate new blocks into the blockchain through consensus.
- Embodiments of the present application provide a service communication method, system, apparatus, electronic device, and computer-readable storage medium, which can improve the security of service communication. Exemplary applications of the electronic device provided by the embodiment of the present application are described below.
- the electronic device provided by the embodiment of the present application may be implemented as a terminal device or as a server.
- FIG. 1 is a schematic structural diagram of a service communication system 100 provided by an embodiment of the present application.
- a terminal device 400 is connected to a server 200 through a network 300, and the network 300 may be a wide area network or a local area network, or a combination of the two.
- the terminal device 400 runs a service access client.
- the service communication method provided by the embodiments of the present application may be implemented by the terminal device.
- the service access client in the terminal device 400 can call the interface of the application process of the application client in the terminal device 400 through the running service access process, that is, the application client will receive the authentication sent by the service access process. rights request.
- the application client can perform synchronous verification processing and asynchronous verification processing on the service access process, determine the allocated service key information according to the synchronous verification processing result, and perform encryption with the service access process based on the service key information.
- the application client obtains the asynchronous verification processing result, it can also control the communication connection with the business access process according to the asynchronous verification processing result.
- the service access process can achieve various service purposes, which are not limited.
- the service access process may be the application process of the instant messaging application client (hereinafter referred to as client A), and the application process of the file management client (hereinafter referred to as client B) is invoked.
- client A such as a file link shared in the session interface
- client B the application process of the file management client
- client A When a file link in A (such as a file link shared in the session interface) is triggered by the user, the application process of client A will call the interface of the application process of client B to establish encryption with the application process of client B business communication.
- the application process of client A can send a service request including the file link to the application process of client B, and the application process of client B can query the file link corresponding to the file under management. and send the queried file to the application process of client A for display on the interface of client A.
- the service communication method provided by the embodiments of the present application may be implemented by the server.
- the service access client in the terminal device 400 can call the interface of the process running in the server 200 through the running service access process, that is, the server 200 will receive the authentication request sent by the service access process.
- the server 200 may perform synchronous verification processing and asynchronous verification processing on the service access process to establish encrypted service communication with the service access process.
- the service access client may be the client of an application
- the server 200 is the background server of the application
- the service access client may establish encrypted service communication with the process in the server 200 through the service access process, thereby sending the Processes in server 200 request application data (ie, response data).
- the service communication method provided by the embodiments of the present application may also be implemented by a terminal device and a server in cooperation.
- the terminal device 400 runs a security client
- the server 200 is a security server.
- the security client receives the authentication request sent by the service access process
- the security client performs synchronous verification processing on the service access process, and notifies the security server to perform asynchronous verification processing on the service access process, so as to be consistent with the service access process.
- Establish encrypted business communications may be implemented by a terminal device and a server in cooperation.
- the terminal device 400 runs a security client
- the server 200 is a security server.
- the terminal device 400 or the server 200 may implement the service communication method provided by the embodiments of the present application by running a computer program
- the computer program may be a native program or software module in an operating system; ) application program (APP, Application), that is, a program that needs to be installed in the operating system to run; it can also be a small program, that is, a program that can be run only after being downloaded into the browser environment; it can also be embedded in any APP An applet in , where the applet component can be run or closed under user control.
- APP Application
- the above-mentioned computer programs may be any form of application, module or plug-in.
- the server 200 may be an independent physical server, or a server cluster or a distributed system composed of multiple physical servers, or may provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, Cloud servers for basic cloud computing services such as network services, cloud communications, middleware services, domain name services, security services, CDN, and big data and artificial intelligence platforms, where the cloud service can be an asynchronous verification service for the terminal device 400 to call .
- the terminal device 400 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart TV, a smart speaker, a smart watch, etc., but is not limited thereto.
- the terminal device and the server may be directly or indirectly connected through wired or wireless communication, which is not limited in this embodiment of the present application.
- FIG. 2 is a schematic structural diagram of a business communication system 110 combined with a blockchain network provided by an embodiment of the present application, including a blockchain network 500 (the blockchain network 500 usually includes a plurality of nodes, here exemplarily The node 510 is shown), the authentication center 600 and the electronic device 700.
- the electronic device 700 may be a server (such as the server 200 shown in FIG. 1 ) or a terminal device (such as the terminal device 400 shown in FIG. 1 ). According to the actual application scenario Depends.
- the certification center 600 is used to issue a digital certificate to the electronic device 700 .
- the electronic device 700 can access the blockchain network 500 to become a client node of the blockchain network 500, and then query the data stored in the blockchain, where the blockchain can be used to store various information in the process of business communication .
- the electronic device 700 may query the blacklist stored in the blockchain to perform at least one of synchronous verification processing and asynchronous verification processing on the service access process according to the blacklist.
- FIG. 3 is a schematic structural diagram of a terminal device 400 provided by an embodiment of the present application.
- the terminal device 400 shown in FIG. The various components in terminal 400 are coupled together by bus system 440 .
- the bus system 440 is used to implement the connection communication between these components.
- the bus system 440 also includes a power bus, a control bus, and a status signal bus.
- the various buses are labeled as bus system 440 in FIG. 3 .
- the processor 410 may be an integrated circuit chip with signal processing capabilities, such as a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., where a general-purpose processor may be a microprocessor or any conventional processor or the like.
- DSP Digital Signal Processor
- User interface 430 includes one or more output devices 431 that enable presentation of media content, including one or more speakers and/or one or more visual display screens.
- User interface 430 also includes one or more input devices 432, including user interface components that facilitate user input, such as a keyboard, mouse, microphone, touch screen display, camera, and other input buttons and controls.
- Memory 450 may be removable, non-removable, or a combination thereof.
- Exemplary hardware devices include solid state memory, hard drives, optical drives, and the like.
- Memory 450 optionally includes one or more storage devices that are physically remote from processor 410 .
- Memory 450 includes volatile memory or non-volatile memory, and may also include both volatile and non-volatile memory.
- the non-volatile memory may be a read-only memory (ROM, Read Only Memory), and the volatile memory may be a random access memory (RAM, Random Access Memory).
- ROM read-only memory
- RAM random access memory
- the memory 450 described in the embodiments of the present application is intended to include any suitable type of memory.
- memory 450 is capable of storing data to support various operations, examples of which include programs, modules, and data structures, or subsets or supersets thereof, as exemplified below.
- the operating system 451 includes system programs for processing various basic system services and performing hardware-related tasks, such as framework layer, core library layer, driver layer, etc., for implementing various basic services and processing hardware-based tasks;
- a presentation module 453 for enabling presentation of information (eg, a user interface for operating peripherals and displaying content and information) via one or more output devices 431 (eg, a display screen, speakers, etc.) associated with the user interface 430 );
- An input processing module 454 for detecting one or more user inputs or interactions from one of the one or more input devices 432 and translating the detected inputs or interactions.
- the service communication apparatus provided by the embodiments of the present application may be implemented in software.
- FIG. 3 shows the service communication apparatus 455 stored in the memory 450, which may be software in the form of programs and plug-ins, including the following Software modules: receiving module 4551, verifying module 4552, determining module 4553, sending module 4554 and connection control module 4555, these modules are logical, so any combination or further division can be carried out according to the realized functions. The function of each module will be explained below.
- FIG. 4A is a schematic flowchart of a service communication method provided by an embodiment of the present application, which will be described in conjunction with the steps shown in FIG. 4A .
- step 101 an authentication request sent by a service access process is received.
- the electronic device receives the authentication request sent by the service access process.
- an authentication interface (such as a specific port) can be pre-agreed in the electronic device.
- the authentication request When requesting an interface call, the call request is used as an authentication request.
- the service access process may be an application process of an application client, or a process used to proxy the application client, which will be described later. It should be noted that the embodiment of the present application does not limit the type of the service, for example, it may be an instant messaging service or a video service.
- step 102 synchronous verification processing is performed on the service access process, and asynchronous verification processing is performed on the service access process.
- synchronous verification processing and asynchronous verification processing are performed to verify its legitimacy.
- the embodiments of the present application do not limit the execution order of the synchronous verification processing and the asynchronous verification processing, for example, they may be executed simultaneously, or, for example, the asynchronous verification processing may be executed when the result of the synchronous verification processing is that the verification is successful.
- the embodiments of the present application also do not limit the processing methods of the synchronous verification processing and the asynchronous verification processing.
- the verification objects of the synchronous verification processing and the asynchronous verification processing may be the same. The difference is that the synchronous validation process is performed only once, while the asynchronous validation process is performed periodically multiple times.
- step 103 the service key information allocated to the service access process is determined according to the synchronous verification processing result of the service access process.
- whether to determine the service key information allocated to the service access process can be determined according to the synchronous verification processing result of the service access process.
- the service key information includes at least a key, and may also include a key identifier and the like.
- the service key information may be pre-allocated for the service access process, or may be allocated in real time, which is not limited.
- the electronic device can also periodically update the service key information allocated to the service access process, and perform invalidation processing (also called invalidation processing) on the service key information before the update. ) to trigger the service access process to resend the authentication request, so as to obtain the updated service key information.
- invalidation processing also called invalidation processing
- the electronic device may pre-agreed multiple authentication request addresses, so that the service access process sends the authentication request according to the authentication request addresses.
- the electronic device determines the service key information allocated for the service access process, it can implement various allocation schemes according to the two factors of the service access process itself and the authentication request address.
- the first allocation scheme is to allocate different service key information for authentication request addresses sent by different service access processes, and allocate different service key information for different authentication request addresses sent by the same service access process. key information.
- the security of this distribution scheme is higher, and the quantity of distributed service key information is also larger, and the electronic device needs to consume more storage resources to store the distributed service key information.
- the second allocation scheme is that different service key information is allocated to the authentication request addresses sent by different service access processes, and the same service key information is allocated to different authentication request addresses sent by the same service access process, that is, only Differentiate the service access process. Compared with the first allocation scheme, the second allocation scheme requires less storage resources.
- the third allocation scheme is to allocate uniform service key information without distinguishing the service access process and the authentication request address. This scheme requires the least amount of storage resources.
- any one of the above three allocation schemes can be selected.
- an enterprise that has the highest security requirements can choose the first allocation scheme above.
- the flexibility of distributing service key information is improved.
- the above-mentioned determination of the service key information allocated to the service access process according to the synchronous verification processing result of the service access process can be implemented in this way: when the synchronous verification processing of the service access process is performed When the result is that the verification is successful, the service key information allocated to the service access process is determined.
- the synchronous verification processing result of the service access process is that the verification is successful
- the service key information allocated to the service access process is determined; when the synchronous verification processing result of the service access process is verification failure, it is proved that the service access process If the incoming process is illegal, the service key information is refused to be allocated to the service access process, and the communication connection with the service access process can also be disconnected. That is, the synchronous verification processing of the service access process can be regarded as a preliminary verification of whether the service access process is legal in essence.
- an error message may be sent to the service access process to notify the service access process to resend the authentication request, or to communicate with the service access process Disconnect communication.
- the asynchronous verification processing of the service access process is being executed when the synchronous verification processing result of the service access process is obtained as verification failure, the asynchronous verification processing of the service access process can be interrupted to save computing resources.
- step 104 the service key information is sent to the service access process, so as to perform encrypted service communication with the service access process based on the service key information.
- the electronic device sends the service key information allocated to the service access process to the service access process, so that encrypted service communication with the service access process can be performed based on the service key information.
- the service key information includes a symmetric key
- the service access process can encrypt the data according to the symmetric key, and send the encrypted data to the electronic device, so that the electronic device can receive the data according to the symmetric key.
- the encrypted data is decrypted; similarly, the electronic device can encrypt the data according to the symmetric key, and send the encrypted data to the service access process, so that the service access process can encrypt the encrypted data according to the symmetric key.
- the resulting data is decrypted.
- step 105 according to the asynchronous verification processing result of the service access process, the communication connection with the service access process for carrying encrypted service communication is controlled.
- the communication connection with the service access process for carrying encrypted service communication is controlled according to the asynchronous verification processing result.
- the embodiment of the present application does not limit the type of the communication connection, for example, it may be a socket (Socket) connection.
- the above-mentioned communication connection for carrying encrypted service communication between the control and the service access process according to the asynchronous verification processing result of the service access process can be implemented in this way: when the service access process is When the asynchronous verification processing result of the process is that the verification is successful, the communication connection with the service access process for carrying the encrypted service communication is maintained; when the asynchronous verification processing result of the service access process is the verification failure, the connection with the service is disconnected.
- the asynchronous verification processing of the service access process can be regarded as a re-verification of whether the service access process is legal in essence.
- the embodiment of the present application can effectively verify the legitimacy of the service access process by combining synchronous verification processing and asynchronous verification processing; at the same time, encryption is performed through the service key information issued by the electronic device
- Business communication can reduce the probability of business key information being stolen and used by malicious processes, and improve the security of business communication.
- FIG. 4B is a schematic flowchart of a service communication method provided by an embodiment of the present application.
- Step 102 shown in FIG. 4A can be implemented through steps 201 to 204 , which will be described in conjunction with each step.
- step 201 the matching result between the process path of the service access process and the set security directory is taken as the first verification processing result.
- the synchronous verification processing of the service access process may include the verification processing of the process path and the verification processing of the signature information.
- the security directory can be preset according to the actual application scenario, and the process path of the service access process is matched with the security directory, and the obtained matching result is used as the first verification processing result.
- the process path of the service access process when the process path of the service access process is located in the security directory, it is determined that the matching result between the process path and the security directory is successful, that is, the first verification processing result is the verification success; when the process path of the service access process is not When located in the security directory, it is proved that the service access process is illegal, and the matching result between the process path and the security directory is determined to be failure, that is, the result of the first verification processing is verification failure.
- step 202 verification processing is performed on the signature information of the service access process to obtain a second verification processing result.
- the signature information generally refers to the information related to the digital signature of the service access process, and the specific content of the signature information that needs to be verified can be determined according to the security requirements in the actual application scenario. After performing verification processing on the signature information of the service access process, a second verification processing result is obtained.
- the above-mentioned verification processing on the signature information of the service access process can be implemented in this way, and a second verification processing result is obtained: according to whether the signature information includes the result of the digital signature, the validity verification of the digital signature At least one of the processing result, the matching result between the signer of the digital signature and the blacklist of the signing parties, and the matching result between the certificate information in the signature information and the certificate information blacklist, determines the second verification processing result.
- the embodiment of the present application provides four influencing factors for the verification processing of the signature information of the service access process, which will be described separately below.
- the signature information includes the result of the digital signature. For example, when the signature information includes a digital signature, the result of the second verification processing is determined to be a successful verification; when the signature information does not include a digital signature, the result of the second verification processing is determined to be a verification failure.
- the validity verification processing result obtained by performing the validity verification processing on the digital signature in the signature information may be directly used as the second verification processing result, and the manner of the validity verification processing will be described later.
- the matching result between the signer of the digital signature in the signature information and the blacklist of the signer includes multiple malicious signers.
- the second verification processing result is determined Indicates that the verification fails; when the signer of the digital signature of the service access process is different from all malicious signers in the signer blacklist, that is, when the matching fails, the second verification processing result is determined to be a successful verification.
- the certificate refers to the digital certificate (Digital Certificate).
- the certificate information blacklist includes multiple malicious certificate information.
- the certificate information of the service access process is the same as any malicious certificate information in the certificate information blacklist, that is, when the matching is successful, it is determined that the second verification processing result is verification failure ;
- the certificate information of the service access process is different from all malicious certificate information in the certificate information blacklist, that is, when the matching fails, it is determined that the result of the second verification processing is that the verification is successful.
- the certificate information may be certificate chain (Certificate Chain) information, for example, including root certificate information, intermediate certificate information, and signature certificate information, and the format of the certificate information is determined according to the actual certificate issuance situation of the service access process.
- the verification strength of the above-mentioned influencing factors from 1) to 4) increases, and the verification duration also increases.
- the security requirements and efficiency requirements in practical application scenarios can be integrated, and at least one of the above-mentioned influencing factors can be selected for verification processing.
- the signature information includes a digital signature
- the validity verification processing result of the digital signature is that the verification is successful
- it is determined that the second verification processing result is The verification is successful; when the signature information does not include a digital signature, or the result of the verification processing on the validity of the digital signature is a verification failure, the second verification processing result is determined to be a verification failure.
- the flexibility of verification processing for the signature information of the service access process is improved.
- the method further includes: determining a digital signature in the signature information and a decryption key corresponding to the digital signature; decrypting the digital signature according to the decryption key to obtain the first hash of the process file of the service access process. Hash the process file of the service access process to obtain the second hash result; use the matching result between the first hash result and the second hash result as the result of the validity verification of the digital signature .
- the digital signature may be obtained by hashing the process file of the service access process, and then encrypting the obtained first hash result, wherein the process file may refer to the portable and executable (Portable and executable) of the service access process. Executable, PE) file. Therefore, when validating the digital signature, the digital signature in the signature information and the decryption key corresponding to the digital signature can be determined first, wherein the decryption key can be obtained by parsing the certificate information of the service access process , as parsed from the signed certificate.
- the process file may refer to the portable and executable (Portable and executable) of the service access process. Executable, PE) file. Therefore, when validating the digital signature, the digital signature in the signature information and the decryption key corresponding to the digital signature can be determined first, wherein the decryption key can be obtained by parsing the certificate information of the service access process , as parsed from the signed certificate.
- the digital signature is decrypted according to the decryption key to obtain the first hash result.
- the process file of the service access process is hashed to obtain the second hash result.
- the algorithm used for hashing It can also be obtained from the certificate information. In this way, it can be ensured that the algorithm used for calculating the first hash result is consistent with the algorithm used for calculating the second hash result.
- the matching result between the first hash result and the second hash result is used as the validity verification processing result. For example, when the first hash result is the same as the second hash result, that is, the match is successful, it is determined that the result is valid.
- the result of the validity verification processing is that the verification is successful; when the first hash result is different from the second hash result, it is proved that the process file has been tampered with, and the result of the validity verification processing is determined to be a verification failure.
- the above method is only an example of the validity verification process, and does not constitute a limitation on the validity verification process.
- the validity can also be achieved by calling a specific application programming interface (Application Programming Interface, API), such as WinVerifyTrust Validation processing.
- API Application Programming Interface
- step 203 the synchronous verification processing result of the service access process is determined according to the first verification processing result and the second verification processing result.
- the synchronous verification processing result of the service access process is determined to be verified successfully; when any of the first verification processing result and the second verification processing result is One is that when the verification fails, it is determined that the result of the synchronous verification processing on the service access process is verification failure.
- the synchronization verification processing of the service access process is performed in combination with the two aspects of the process path and the signature information, which can effectively improve the accuracy of the obtained synchronization verification processing result.
- step 204 the process information of the service access process is periodically matched with the process information blacklist, and the obtained matching result is used as the asynchronous verification processing result of the service access process.
- the process information may include at least one of the MD5 value of the process file, the Hash value of the process file, the process path, and certificate information, which may be set according to actual application scenarios.
- the process information blacklist includes process information of multiple malicious processes, and the process information blacklist can be continuously updated over time, similar to a virus database. In the process of asynchronously verifying the service access process, the process information of the service access process can be periodically matched with the process information blacklist (for example, the current latest process information blacklist).
- the process information is the same as any process information in the process information blacklist, that is, when the match is successful, it is determined that the asynchronous verification processing result for the service access process is verification failure; All process information is different, that is, when the matching fails, it is determined that the asynchronous verification processing result of the service access process is verification successful.
- the process information when the process information includes multiple types of content (such as MD5 value, Hash value, etc.), it can be set that a certain content (such as MD5 value) included in the process information A and the content included in the process information B can be set.
- a certain content such as MD5 value
- the content included in the process information B can be set.
- process information of the service access process can be periodically sent to a specific cloud service, so that the cloud service matches the process information of the service access process with the process information blacklist, thereby reducing the local processing pressure.
- the embodiments of the present application provide some examples of performing synchronous verification processing and asynchronous verification processing on the service access process, which can effectively improve the accuracy of the obtained synchronous verification processing results and asynchronous verification processing results, thereby enhancing subsequent The security of conducting business communications.
- FIG. 4C is a schematic flowchart of a service communication method provided by an embodiment of the present application.
- Step 104 shown in FIG. 4A can be implemented through steps 301 to 307 , which will be described in conjunction with each step.
- step 301 the service key information is encrypted according to the public key in the authentication request.
- an asymmetric key pair may be generated by the service access process, and the asymmetric key pair in the asymmetric key pair may be generated.
- the public key is added to the authentication request, wherein the asymmetric key pair includes the public key and the private key matched with the public key.
- the electronic device After determining the service key information allocated to the service access process, the electronic device can encrypt the service key information by using the public key sent by the service access process.
- step 302 the encrypted service key information is sent to the service access process, so that the service access process decrypts the encrypted service key information according to the private key.
- the electronic device sends the encrypted service key information to the service access process, so that the service access process decrypts the encrypted service key information according to the stored private key. Since other processes except the service access process do not hold the private key, even if the encrypted service key information is stolen by other processes, other processes cannot obtain the actual service key information. In the above manner, the confidentiality of the service key information can be improved.
- step 303 a service request sent by the service access process is received; wherein, the service request includes a key identifier and request data encrypted with a symmetric key.
- the process of encrypting the service communication is described by taking the service key information including the key identifier and the symmetric key as an example.
- the service access process can generate a call request based on the service key information.
- the call request includes the key identifier and the request data encrypted with the symmetric key.
- the type of the request data is not specified here. The limit can be determined according to the actual application scenario.
- a service interface (such as a specific port) may be pre-agreed in the electronic device, and when the electronic device receives a call request for the service interface from the service access process, the call request is regarded as a service request.
- different service interfaces can be set for various services, and a unified service interface can also be set.
- step 304 in the distributed symmetric key, query the symmetric key corresponding to the key identifier in the service request.
- the electronic device When distributing the service key information, the electronic device stores the service key information, wherein each service key information includes a key identifier and a symmetric key corresponding to the key identifier.
- each service key information includes a key identifier and a symmetric key corresponding to the key identifier.
- the electronic device searches for the symmetric key corresponding to the key identifier in the service request among all the distributed symmetric keys. If the symmetric key corresponding to the key identifier is not queried, corresponding error information may be sent to the service access process, so that the service access process resends the service request when the error information is received.
- the method further includes: when the queried use parameter of the symmetric key meets the expiration parameter condition, sending expiration information to the service access process, so that the service access process receives the expiration information after receiving the expiration information.
- the authentication request is re-sent when the time of use; wherein, the use parameter includes at least one of the number of times of use and the length of use.
- an expired parameter condition can be set.
- the electronic device can update the service key information, wherein the expired parameter condition can be the maximum usage At least one of the number of times and the effective use duration, of course, may also be other conditions, which are not limited.
- the electronic device After the electronic device performs a query based on the key identifier in the service request, if the queried use parameter of the symmetric key (equivalent to the use parameter of the service key information to which the symmetric key belongs) satisfies the expired parameter condition, the expired information will be stored. It is sent to the service access process, so that the service access process resends the authentication request when it receives the expired information, thereby requesting the updated service key information. In the above manner, the dynamic update of the service key information can be realized, and the security of the service communication can be further improved.
- step 305 decrypt the encrypted request data in the service request according to the queried symmetric key.
- step 306 a response process is performed on the request data obtained by the decryption process to obtain response data.
- the request data obtained by the decryption process may be subjected to response processing according to actual business policies or rules to obtain response data.
- the request data obtained by the decryption process is a video link
- the video data corresponding to the video link can be obtained as the response data.
- the response processing performed may also be to store the request data obtained by the decryption processing, that is, it is not necessary to obtain the response data, and only the case of obtaining the response data is described here as an example.
- the service request further includes a timestamp and first verification information; wherein, the first verification information is the service access process pair key identifier, symmetric key, timestamp, and encrypted data using the symmetric key. It is obtained by hashing the request data obtained by hashing; the above-mentioned response processing to the request data obtained by the decryption process can also be implemented in this way: the key identifier, the queried symmetric key, the timestamp, and the encrypted request The data is hashed to obtain second verification information; when the matching result between the first verification information and the second verification information is successful, a response processing is performed on the request data obtained by the decryption processing.
- the service access process may perform hash processing on the key identifier, the symmetric key, the current timestamp, and the request data encrypted with the symmetric key to obtain the first verification information, and the first verification information
- the service request includes the key identifier, the request data encrypted with the symmetric key, the time stamp, and the first verification information.
- the electronic device After the electronic device obtains the corresponding symmetric key by querying the key identifier in the service request, it searches the key identifier in the service request, the symmetric key obtained in the query, the timestamp in the service request, and the encrypted data in the service request.
- the requested data is hashed to obtain the second verification information.
- the algorithm used in the hash processing can be pre-agreed to ensure the uniformity of the algorithm.
- the electronic device When the first verification information is the same as the second verification information, that is, the matching is successful, it proves that the data in the service request has not been tampered with. At this time, the electronic device responds to the request data obtained by the decryption process; when the first verification information Different from the second verification information, that is, when the matching fails, it proves that the data in the service request has been tampered with, and the electronic device can send the corresponding error information to the service access process, so that when the service access process receives the error information, Resend the service request.
- the first verification information and the second verification information may be compared first, and then the encrypted request data in the service request is decrypted according to the symmetric key obtained;
- the encrypted request data in the service request may also be decrypted according to the symmetric key obtained, and then the first verification information and the second verification information are compared.
- step 307 the response data is encrypted according to the public key, and the encrypted response data is sent to the service access process, so that the service access process decrypts the encrypted response data according to the private key.
- the electronic device After obtaining the response data through the response processing, the electronic device encrypts the response data according to the public key sent by the service access process, and sends the encrypted response data to the service access process.
- the service access process receives the encrypted response data, it can decrypt it according to the stored private key, obtain the response data, and complete an encrypted service communication.
- the embodiment of the present application performs encrypted service communication by combining the asymmetric key pair generated by the service access process and the service key information issued by the electronic device, which can effectively ensure the security and privacy of service communication.
- FIG. 4D is a schematic flowchart of a service communication method provided by an embodiment of the present application.
- the data sent by the service access process may also be received.
- Credential request wherein, the credential request is sent by the service access process when it intercepts the service request of the application process, and the destination address of the service request is the address of the service server.
- the service access process may be used to intercept a service request sent by an application process (for example, an application process running on the same terminal device as the service access process), where the destination address of the service request is a service server
- the address here can include IP address (or domain name) and port.
- the manner of intercepting the service request is not limited, for example, the interception can be implemented through a specific virtual network card.
- the service access process When the service access process intercepts the service request, it generates a credential request.
- the content of the credential request may include the source address (that is, the address of the application process) and the destination address in the service request, and may also include the process identification number (Process ID) of the application process. IDentification, PID).
- step 402 a synchronization verification process is performed on the application process.
- the electronic device When receiving the credential request sent by the service access process, the electronic device performs synchronous verification processing on the application process pointed to by the credential request.
- the credential request is also one of the service requests sent by the service access process, and the response data requested by the credential request is the service credential.
- the above-mentioned synchronous verification processing for the application process can also be implemented by: determining the user account in the logged-in state in the device where the application process is located, and obtaining the process information of the trusted application process corresponding to the user account, and the address of the accessible service server corresponding to the user account; the matching result between the process information of the application process and the process information of the trusted application process is used as the third verification processing result; the address of the service server requested by the service request The matching result with the address of the accessible service server is taken as the fourth verification processing result; the device information of the device where the application process is located is obtained, and the matching result between the device information and the device security condition is taken as the fifth verification processing result ; According to the third verification processing result, the fourth verification processing result and the fifth verification processing result, determine the synchronization verification processing result for the application process.
- a trusted application process corresponding to the user account and an accessible service server can be set.
- the address of the accessed business server is stored locally.
- the electronic device When the electronic device receives the credential request sent by the service access process, it can determine the corresponding application process according to the PID in the credential request, determine the user account in the logged-in state in the device where the application process is located, and obtain the device information of the device where the application process is located. .
- the process information of the application process is the same as the process information of any trusted application process corresponding to the user account, that is, when the matching is successful, the third verification processing result is determined to be successful verification;
- the process information is different from the process information of all trusted application processes corresponding to the user account, it is determined that the third verification processing result is verification failure.
- the fourth verification processing result is determined to be successful;
- the destination address in the request is different from the addresses of all accessible service servers corresponding to the user account, it is determined that the fourth verification processing result is verification failure.
- the device information is also matched with the set device security conditions. If the device information meets the device security conditions, that is, the matching is successful, the fifth verification processing result is determined to be verification success; otherwise, the fifth verification processing result is determined to be verification failure.
- the device security conditions are not limited, for example, the device information may not include viruses and system vulnerabilities.
- the synchronous verification processing result for the application process can also be determined according to at least one of the above-mentioned third verification processing result, fourth verification processing result and fifth verification processing result, thereby improving the efficiency of the synchronous verification processing. . In the above manner, the accuracy and validity of the obtained synchronization verification processing result can be improved.
- the method further includes: periodically matching the process information of the application process with the process information blacklist, and using the obtained matching result as the asynchronous verification processing result of the application process;
- the asynchronous verification processing result of the control and the service access process is used to carry the communication connection of encrypted service communication.
- asynchronous verification processing can also be performed on the application process.
- the process of performing the asynchronous verification processing on the application process is similar to the above-mentioned process of performing the asynchronous verification processing on the service access process.
- the method further includes: sending a query request to the blockchain network to query the blacklist stored in the blockchain.
- the embodiments of the present application can also be implemented in combination with blockchain technology.
- the blockchain can be used to store blacklists, including but not limited to the above-mentioned blacklist of signers, blacklist of certificate information, and blacklist of process information.
- blacklists including but not limited to the above-mentioned blacklist of signers, blacklist of certificate information, and blacklist of process information.
- an example application of the blockchain network will be described by taking the electronic device accessing the blockchain network to realize the query blacklist as an example.
- the electronic device 700 is connected to the blockchain network 500 and becomes a client node of the blockchain network 500 .
- the electronic device 700 needs to query the blacklist, it sends the query request to the blockchain network 500 in the form of a transaction, and specifies in the transaction the smart contract that needs to be called to realize the query operation and the parameters passed to the smart contract, and the transaction also carries the electronic device.
- 700 signs the digital signature (eg, obtained by encrypting a digest of the transaction using the digital certificate of the electronic device 700 ), and broadcasts the transaction to the blockchain network 500 .
- the digital certificate can be obtained by registering with the certification center 600 by the electronic device 700 .
- the node 510 in the blockchain network 500 When the node 510 in the blockchain network 500 receives the transaction, it verifies the digital signature carried in the transaction. After the verification of the digital signature is successful, it confirms whether the electronic device 700 has the transaction status according to the identity of the electronic device 700 carried in the transaction. Any one of authority, digital signature and authority verification will cause the transaction to fail. After the verification is successful, the digital signature of the node 510 is signed and continues to be broadcast in the blockchain network 500.
- the node 510 with the sorting function in the blockchain network 500 fills the transaction into a new block and broadcasts it to the nodes in the blockchain network 500 that provide consensus services.
- the nodes 510 providing consensus services in the blockchain network 500 perform a consensus process on the new block to reach an agreement, and the nodes 510 providing the ledger function append the new block to the end of the blockchain and execute the transactions in the new block:
- For queries on the blacklist the blacklist is queried from the state database, and the queried blacklist is sent to the electronic device 700 .
- the state database stores data in the form of key-value pairs, and the data stored in the state database is usually the same as the data stored in the blockchain.
- the data in the state database can be given priority to respond, thereby Improve response efficiency.
- the above method ensures the accuracy of the obtained blacklist.
- the data stored in the blockchain is not limited to the blacklist.
- it may also include the assigned business key information, the process information of the trusted application process corresponding to the user account, the address of the accessible business server corresponding to the user account, etc. .
- step 403 according to the synchronous verification processing result of the application process, determine the service credential and gateway address allocated to the application process, and send the service credential and gateway address to the service access process, so that the service access process can send the service credential and gateway address to the service access process. And the service request is sent to the service gateway corresponding to the gateway address.
- the electronic device determines the service credential and gateway address allocated to the application process, and sends the service credential and gateway address to the service access process; synchronous verification of the application process
- the processing result is that the verification fails
- the communication connection with the service access process may be disconnected, or the service access process may be notified to directly connect with the service server.
- the gateway address here refers to the address of the service gateway that has permission to access the service server (here, the service server requested by the service request of the application process).
- the service gateway to be accessed can also be uniformly set to the service gateway authorized to access, which is not limited.
- the electronic device may store the assigned service credential locally for subsequent verification, wherein the type of the service credential is not limited, for example, it may be a random character string.
- the service access process When the service access process receives the service credential and the gateway address, it may first send the service credential to the service gateway corresponding to the gateway address.
- the business gateway receives the business credential, it sends the business credential to the electronic device for verification processing. If the business credential is the same as the business credential stored in the electronic device, that is, the verification is successful, the business gateway can send the verification success information to the service access process.
- the service access process receives the information that the verification is successful, it sends the service request of the application process to the service gateway, so that the service gateway forwards the service request to the service server. Request data for response processing.
- the response data obtained by the service server through response processing can be sent to the application process in the opposite communication direction.
- the service gateway fails to verify the received service credential, the service gateway does not support forwarding the service request sent by the service access process, for example, the service gateway can disconnect the communication connection with the service access process.
- the interaction between the service access process and the electronic device belongs to the category of encrypted service communication.
- the service access process can act as an agent of the application process to access the service server, which is suitable for zero-trust scenarios, such as zero-trust borderless office scenarios.
- the service communication method can be implemented through a service communication system, wherein the service communication system includes a service access client, a security client, and a security server.
- FIG. 4E is a schematic flowchart of a service communication method provided by an embodiment of the present application, which will be described with reference to the steps shown in FIG. 4E.
- step 501 the security client receives the authentication request sent by the service access process.
- the security client and the service access client may be deployed in the same terminal device, or may be deployed in different terminal devices.
- step 502 the security client performs synchronization verification processing on the service access process.
- the synchronization verification processing performed on the service access process may include verification processing on the process path and signature information.
- the service access client may be a component of the security client, and when the security client verifies the process path of the service access process, the security directory may be the installation directory of the security client .
- step 503 the security server performs asynchronous verification processing on the service access process.
- the security client may notify the security server to perform asynchronous verification processing on the service access process, and the security server may return the asynchronous verification processing result on the service access process to the security client.
- the security client can send the process information of the service access process to the security server, so as to facilitate asynchronous verification processing.
- step 504 the security client determines the service key information allocated to the service access process according to the synchronous verification processing result of the service access process.
- the security client requests the security server for service key information, that is, the actual generator of the service key information may be the security server.
- the security client can store the acquired service key information locally for subsequent encrypted service communication.
- step 505 the security client sends the service key information to the service access process, so as to perform encrypted service communication with the service access process based on the service key information.
- the method further includes: the security client receives a credential request sent by the service access process; wherein, the credential request is sent by the service access process when the service request of the application process is intercepted, and the service request is sent by the service access process.
- the destination address is the address of the service server; the security client informs the security server to perform synchronous verification processing on the application process; the security server determines the service credential and gateway address allocated to the application process according to the synchronous verification processing result of the application process, and sends the service credential.
- the service access client sends the service certificate and service request to the service gateway corresponding to the gateway address through the service access process;
- the business voucher is verified, and when the verification processing result of the business voucher is successful, the received business request is sent to the business server; the business server is used for responding to the request data in the received business request.
- the security client, the service access process and the application process can run in the same terminal device.
- the security client can send the obtained credential request, the user account in the logged-in state in the device where the application process is located, the process information of the application process, and the device information of the device where the application process is located to the security server, so that the security server can process the application process.
- Synchronous verification processing, wherein the user account in the login state may refer to the user account in the login state in the security client.
- the security server may also perform asynchronous authentication processing on the application process.
- step 506 the security client controls the communication connection with the service access process for carrying encrypted service communication according to the asynchronous verification processing result of the security server on the service access process.
- encrypted service communication can be implemented through a service access client, a security client, and a security server, wherein the service access client can be used as a component of the security client, which is convenient for installation on terminal devices (For example, terminal devices held by enterprise employees), it is suitable for scenarios such as zero-trust borderless office.
- the business communication system may include a security client, a security server, and a security management terminal, wherein the security management terminal is used to configure policies, rules, etc. applied in the security client and/or the security server, and the security management terminal
- the terminal can provide a human-computer interaction interface (such as a Web interface), so that it is convenient for administrators (such as enterprise administrators) to configure.
- an administrator can configure a zero-trust policy on the security management end, where the zero-trust policy includes applications (trusted applications) that can be used by a user account and business systems that can be accessed.
- the zero-trust policy can be configured from three aspects: user accounts (or user account groups), trusted applications, and business systems (corresponding to the above-mentioned business servers) in the organizational structure, which are described separately below.
- the granularity of the zero trust policy may be a single user account. If a zero-trust policy is configured for a user account group, all user accounts included in the user account group can share the same zero-trust policy.
- the terminal device can access the application carrier of the internal business system, and the application carrier is trusted by the security management terminal.
- the process information of the application process may include an application name, a process name, an application MD5 value, signature information, and the like.
- Business system It can be used to provide internal business resources, data, development environment, test environment, operation and maintenance environment and formal production environment, etc. It is the object that the access subject (person/terminal device/application) needs to access, that is, the business The system is the object of access.
- the business system may be a business server (or a cluster of business servers).
- the user account group is a node in the organizational structure of the enterprise.
- the nodes are the network-wide account, user account group and user account from top to bottom, that is, the network-wide account belongs to all user account groups.
- the parent node, the user account group is the parent node of all user accounts included in the user account group.
- the "lemon" user account in Figure 5 belongs to the "testgroup” user account group, and the "testgroup” user account group also belongs to the entire network account.
- This embodiment of the present application also provides a schematic diagram of process information (also called process features) as shown in FIG. 6 .
- process information also called process features
- FIG. 6 the process information of a conference application process is shown, which may include process name, application name, operation System (that is, the operating system of the terminal device used to run the application process), manufacturer, signature information, inspection result (that is, the asynchronous verification processing result), version, MD5 value, and SHA256.
- the administrator can configure the zero-trust gateway on the zero-trust gateway (corresponding to the above-mentioned business gateway) interface on the security management side.
- the zero-trust gateway on the security management side as shown in Figure 7 is provided.
- the schematic diagram of the interface, and the schematic diagram of the configuration interface of the zero-trust gateway shown in FIG. 8, the configuration interface shown in FIG. 8 can be displayed by triggering a certain gateway (such as gateway 4) shown in FIG. This is not limited. Administrators can configure attributes such as the name, IP address, domain name, port, and IP address segment of the zero-trust gateway according to actual needs.
- a gateway is configured with a preferentially accessed IP address segment
- the gateway when the IP address of the access subject (such as a terminal device) matches the preferentially accessed IP address segment successfully (that is, it falls into the preferentially accessed IP address segment ), the gateway can be used preferentially to forward the service request of the access subject; when the IP address of the access subject fails to match the IP address segment of the preferential access, the gateway can be selected or not used, depending on the actual application scenario Depends.
- the embodiment of the present application also provides a schematic diagram of the service system interface of the security management terminal as shown in FIG. 9 .
- a specific business system can be queried, and it can also support adding, copying, and deleting (eg, batch deleting) business systems.
- different system combinations can also be created, wherein the system combination includes at least one business system.
- the system combination 1 taking the system combination 1 as an example, the service systems 1 to 4 in the system combination 1 are shown.
- the embodiment of the present application also provides schematic diagrams of configuration interfaces of the service system as shown in FIG. 10 , FIG. 11 , and FIG. 12 .
- the embodiment of the present application provides a schematic diagram of the policy management interface of the security management terminal as shown in FIG. 13 .
- a trusted application ie, “xx conference” in FIG. 13
- a business system accessible through trusted applications ie, “System Composition 2” in Figure 13.
- the embodiment of the present application may provide an inheritance function, that is, the configuration is automatically copied down along with the hierarchical relationship of user accounts from top to bottom, so as to avoid repeated checking operations by the administrator. For example, if the user account "123" belongs to the user account group "test”, the configuration of the user account group "test” can be copied to the user account "123".
- the inheritance function can also be turned off to perform targeted configuration on the user account "123".
- the security management terminal can deploy the zero trust policy configured by the administrator to the security server, of course, it can also be deployed to the security client, for example, deploy part of the zero trust policy to the security client.
- the security client is used to be installed in the terminal device as the access subject, such as the personal computer used by the employees of the enterprise.
- the embodiment of the present application provides a schematic interface diagram of a security client as shown in FIG. 14 .
- FIG. 14 two modes of scanning code login and account login are provided. way to log in.
- the security client can also integrate functions such as virus detection, compliance detection, vulnerability repair, and computer tools.
- the security client can provide real-time protection policies,
- the antivirus protection engine and security hardening strategy can add and delete functions to the security client according to actual application scenarios.
- the embodiment of the present application also provides a schematic interface diagram of the security client as shown in FIG. 16 .
- the security client can obtain the zero-trust policy configured for the user account in the logged-in state, and obtain the trusted value from the zero-trust policy. applied and displayed.
- the trusted application "xx conference” corresponding to the user account "lemon” is shown.
- the terminal device can access the configured business system according to the configured trusted application, which is suitable for the scenarios of borderless office, such as remote office.
- the business communication system can act as a zero-trust network security service provider, based on an access proxy (corresponding to the above-mentioned business access client) and zero-trust network security service providers.
- the trust gateway provides a unified portal for the access subject, so that the access subject can access the access object through the unified portal, that is, send a service request through the network.
- the business communication system can provide authentication operations for the unified portal, and only the business requests that pass the authentication can be forwarded to the zero-trust gateway by the access agent, so that the access to the actual business system can be represented by the zero-trust gateway.
- the embodiment of the present application also provides a schematic diagram of an access process as shown in FIG. 18 .
- the core modules in FIG. 18 include a security client, a security server, an access proxy, and a zero-trust gateway (smart gateway). .
- Security client Agent installed in the access subject (such as the terminal device of an enterprise employee), which can be used to verify whether the user account in the login state is trustworthy, whether the terminal device is trustworthy, and whether the application is trustworthy.
- the security client can send the process characteristics of the application process (corresponding to the above process information) to the security server, that is, to perform process submission (corresponding to the above asynchronous verification processing for the application process).
- Access proxy Also known as proxy client, it is used to hijack the traffic of the terminal device, that is, to intercept the service requests sent by the application process in the terminal device. Among them, traffic hijacking can be achieved through the TUN/TAP virtual network card, but the hijacking method is not. limited to this.
- Zero-trust gateway It can be deployed at the entrance of enterprise applications and data resources, and is responsible for verifying, authorizing and forwarding each business request used to access the enterprise's internal business system. Among them, the zero trust gateway can be built in the form of software.
- Security server responsible for the security scheduling of service traffic through the policy control engine (policy center), and authorize the service requests of the application process according to the granularity of user account-terminal device-application.
- the security server can be used to verify whether the user account in the login state in the security client is trustworthy, can also be used to verify device hardware information and device security status, and can also be used to detect whether the application process is trustworthy, such as whether there are loopholes, whether There are virus Trojans and so on.
- the security server can periodically send files to the cloud server for inspection. If the application process that sends the service request is identified as a malicious process, it will notify the security client to perform an asynchronous blocking operation, such as disconnecting the communication connection with the access agent.
- the cloud server is used to provide cloud detection services (or cloud query services, cloud identification services, etc.) of malicious processes.
- the terminal device can send a service request for the access object through the application process.
- the access agent hijacks the service request, it sends a ticket request (corresponding to the above credential request) to the security client.
- the ticket request Including the source IP address (or source domain name), source port, destination IP address (or destination domain name) and destination port in the service request, as well as the PID corresponding to the application process, where the ticket corresponds to the above service credential, and the PID uses to uniquely identify the application process.
- the security client When the security client receives the ticket request sent by the access agent, it collects the MD5 value of the application process, the process path, the last modification time of the process, the copyright information and the signature information according to the PID in it, together with the source IP address (or source domain name), source port, destination IP address (or destination domain name) and destination port, together with the information of the user account in the login state in the security client, apply for a ticket to the security server. After receiving the information, the security server obtains the zero-trust policy corresponding to the user account in the logged-in state in the security client, and determines whether the user account has passed the application process (referring to initiating a service request) according to the obtained zero-trust policy.
- the application process has the right to access the business system (referring to the business system requested by the business request). If it has the right, the security server can send the generated ticket, the maximum number of times of use of the ticket and the valid use time of the ticket to the security client, so that the The secure client forwards to the access proxy.
- the security client applies for a ticket to the security server, and the security server performs synchronous verification processing on the process characteristics of the application process, such as verifying whether the application process is a trusted application, and whether the user account has access to the corresponding application process through the application process. business system permissions, etc. If the synchronous verification processing result obtained by the security server is successful, the security server will normally respond to the ticket, the maximum number of times the ticket is used, and the valid usage time of the ticket to the security client, and the security client will send it to the access agent. For example, the security client can pass the local Process communication (ie, Socket communication connection) is sent to the access agent.
- the local Process communication ie, Socket communication connection
- the security server may periodically send a file submission request to a specific cloud server according to the process characteristics of the application process. If the security server obtains from the cloud server that the application process is a malicious process, it can notify the security client to perform an asynchronous blocking operation, such as disconnecting the communication connection with the access agent.
- the access agent After the access agent obtains the ticket, it can send the ticket to the zero-trust gateway for verification by the zero-trust gateway. For example, an access proxy can add a ticket to the Authorization header field of an HTTPS request and send the HTTPS request to the Zero Trust Gateway. When the zero-trust gateway receives the HTTPS request, it parses the ticket in the Authorization header field and verifies the ticket to the security server.
- the zero-trust gateway successfully verifies the ticket, the zero-trust gateway and the access agent successfully establish a connection, and then the access agent can send the original service request (here, the service request sent by the application process) to the zero-trust gateway, and the zero-trust gateway Forward the business request to the corresponding business system to proxy the network access of the application process to the business system; if the zero-trust gateway fails to verify the ticket, the communication connection between the access agent and the zero-trust gateway is disconnected, and the access agent directly Send the original business request to the corresponding business system.
- the zero-trust borderless office scenario in order to ensure the security of network access, such access usually fails.
- the security server can adapt to medium-sized enterprises and institutions and the government through a single deployment mode, and can also adapt to large-scale enterprise groups and multi-level vertical government e-government systems through a distributed cascade deployment mode.
- the scheme of multi-active zero-trust core services in different places can be adopted.
- the core basic services are deployed in the master control node, and different services are deployed in different secondary service nodes.
- the embodiment of the present application provides a schematic diagram of cascading deployment as shown in FIG. 19 .
- the security server adopts a cascading deployment mode, including a master control node (master control server) and a secondary service node (server node).
- the master control node is deployed with core basic services, such as heartbeat service, policy synchronization service, and device management and control service.
- the configuration and data of the master control node can be periodically synchronized to each secondary service node; at the same time, when the secondary service node has data and configuration that needs to be changed, the master control node can be notified to modify it. After the master control node is modified, the synchronization Just give it to the corresponding secondary business node.
- the service access process of the access agent can call the interface in the security client to realize data transmission.
- the service access process of the access agent can be subjected to synchronous verification processing and asynchronous verification processing. Each of them will be described below.
- the security client After the access proxy establishes a socket connection with the security client, the security client obtains the PID of the service access process through the IP address and port number of the access proxy. Then, the security client obtains the process path of the service access process according to the PID of the service access process, and detects whether the process path is located in the installation directory of the security client (corresponding to the security directory above).
- the access agent may be a component of the business communication system. After normal installation, the access agent is usually located in the installation directory of the security client.
- the installation directory of the security client can be protected by directory protection, so that services or processes of other non-service communication systems can be prevented from operating the installation directory.
- the validity of the access process can be preliminarily detected. If the process path of the service access process is located in the installation directory, the signature information of the process file of the service access process can be further acquired, and verification processing is performed.
- the security control intensity of the enterprise is low, it is possible to relax (authorize) the interface access of the service access process without digital signature to the security client; when the security control intensity of the enterprise is high, it can be Only the signed service access process can access the interface of the secure client.
- the following verification processes for signature information can be implemented.
- the security client performs validity verification processing on the digital signature locally, such as calling the API of WinVerifyTrust for validity verification processing. If the validity verification process is that the verification is successful, it is determined that the verification of the signature information is successful.
- the security client obtains the certificate chain information of the process file of the service access process (corresponding to the certificate information above), for example, the certificate chain information may include digest algorithm, root certificate information, intermediate certificate information, signature certificate information, signature status, Signer's name, timestamp, and signature verification error information.
- the root certificate information includes the name, serial number, and expiration time of the root certificate, and the intermediate certificate information and signature certificate information and so on.
- the signature status can be used to indicate one of the digital signature available, the digital signature being tampered with, the certificate not trusted, the certificate expired, the certificate revoked, and other errors.
- the security client can match the certificate chain information with the certificate chain information blacklist (corresponding to the certificate information blacklist above). If the matching fails, it is determined that the verification of the signature information is successful.
- the security management and control strength of the above four methods is gradually increased, and accordingly, the time spent on verification processing will also become longer. According to the strength requirements and efficiency requirements of security management and control in actual application scenarios, at least one method can be selected to realize the verification of signature information. verification processing.
- the security client When the security client successfully verifies the process path and signature information of the service access process, it can first allow the interface call of the service access process to enter the interface authentication link.
- the security client can asynchronously obtain the process characteristics of the service access process and send it to the security server for asynchronous verification processing.
- the process characteristics of the service access process include but are not limited to the MD5 value, Hash value, process path and signature information (including certificate chain information) of the service access process.
- the security server After the security server receives the process characteristics of the service access process, it can periodically send a file inspection request to the cloud server. Whether the service access process is a malicious process. If the cloud server determines that the service access process is a malicious process, the security server will notify the security client, so that the security client disconnects the socket connection with the service access process.
- the embodiment of the present application provides a schematic diagram of asynchronous verification processing as shown in FIG. 20 .
- the numbers in FIG. 20 represent steps of the asynchronous verification processing, which will be described in conjunction with the illustrated steps.
- the access agent tries to call the relevant interface of the security client, that is, sends an authentication request to the security client.
- the security client performs synchronous verification processing on the service access process (including verification processing on the process path and signature information), and if the synchronous verification processing result is that the verification is successful, the process characteristics of the service access process are collected.
- the security client sends the process characteristics of the service access process to the security server, that is, asynchronous submission.
- the security server sends the process characteristics of the service access process to the cloud server, so that the cloud server can judge whether the service access process is a malicious process.
- the cloud server sends the result of the asynchronous verification processing to the security server, that is, whether the business access process is a malicious process.
- the security server If the service access process is a malicious process, the security server notifies the security client to perform a connection blocking operation.
- the service access process generates an asymmetric key pair.
- an asymmetric key pair is generated by the service access process.
- the private key in the asymmetric key pair can be encrypted and stored in memory by the service access process, and the public key pubkey in the asymmetric key pair is used to send to the security client.
- This embodiment of the present application does not limit the manner of generating the asymmetric key pair, for example, it can be generated by using the RSA algorithm.
- the service access process sends an authentication request to the authentication interface of the security client, and an example of the authentication request is as follows.
- [port] represents the listening port of the security service provided by the security client
- [path] represents the service route (corresponding to the authentication request address above)
- [req_acc] represents the request identifier, which is used to request authentication.
- ⁇ pubkey ⁇ urlencode(base64encode(pubkey)) in the above example, that is, ⁇ pubkey ⁇ is the result obtained by performing urlencode after base64encoding the public key pubkey generated by the service access process.
- the purpose of executing base64encode and urlencode is to facilitate network transmission.
- the security client When the security client receives the authentication request, it detects the legitimacy of the service access process through the above-mentioned combination of synchronous and asynchronous methods. When the result of the synchronous verification processing on the service access process is that the verification is successful, the security client requests the security server to generate a symmetric key aes_key for subsequent encrypted service communication, where the symmetric key can be generated by the AES algorithm or other algorithms. The security client encrypts the symmetric key through ⁇ pubkey ⁇ in the authentication request, and sends the encrypted symmetric key to the service access process to complete the first authorization.
- encrypt(plain_data, pubkey) represents the result obtained after the security client encrypts the plaintext information plain_data of the data packet body according to the public key pubkey sent by the service access process, that is, encrypt represents encryption processing.
- the access_key is the result obtained by the security client performing base64encode on the symmetric key aes_key.
- the security server can store the mapping relationship between the access_id and the access_key, and can also store attributes such as the maximum number of times the access_key is used and the effective use duration.
- the security client can also store the access_id and the corresponding access_key (or the corresponding aes_key) locally for subsequent query.
- the service access process receives and parses the data packets responded by the security client.
- the service access process When the service access process receives the data packet returned by the security client, it parses out the response code code in the data packet. If the value of the response code code is 0, it means the processing is normal, and the service access process further parses the data through base64decode The base64 plaintext of the package data, and then decrypt the base64 plaintext through the private key encrypted and stored in the memory to obtain plain_data.
- access_id and access_key may be in a one-to-one relationship.
- the service access process calls the service interface of the security client.
- the business interface may be an interface for applying for a ticket, or of course other business interfaces.
- the service access process calls the service interface of the security client, the raw parameter raw_param (corresponding to the above request data) sent to the service interface is processed as follows to form call_param.
- step 3 Execute urlencode for the result obtained in step 2, that is, urlencode(base64encode(encrypt(raw_param, aes_key))), to get call_param.
- the service access process calls the service interface of the security client
- the service access process simultaneously generates custom verification information signature (corresponding to the first verification information above), and the generation steps are as follows.
- the service access process takes out the access_id from the memory encrypted data as the first part (named A).
- timestamp represents the timestamp in the process of generating the signture, that is, the above D. It is worth noting that the service request sent by the service access process to the security client includes the above-mentioned call_param and Authorization public header information.
- the security client parses the service request sent by the service access process to the service interface, and checks whether the service request is legal.
- the security client When the security client receives the service request, it urldecodes the call_param in the service request, and then performs base64decode to obtain encrypt(raw_param, aes_key). Then, decrypt (raw_param, aes_key) with aes_key to obtain raw_param, that is, the original parameter of the service access process.
- the security client For the Authorization public header information in the service request, the security client first performs base64decode to obtain the plaintext, that is, access_id, custom verification information signture, and timestamp. Then, the security client performs a local query according to the access_id to obtain the corresponding access_key (or aes_key), and then sends the queried access_key to the security server to detect whether the queried access_key expires. If the queried access_key has expired, the security client triggers the re-authentication by calling the authentication interface, that is, the service access process resends the authentication request.
- the security client will regenerate the verification information according to the call_param in the service request, the access_id in the Authorization public header, the timestamp in the Authorization public header, and the queried access_key.
- the security client compares the generated verification information Signature' with the custom verification information Signature sent by the service access process. If the two are the same, the security client determines that the service request is legal; if the two are different, it proves that the service request is valid. If the parameters of the server are tampered with or forged, the security client determines that the service request is invalid, and the service access process fails to call the service interface.
- the security client responds to the original parameters in the service request to obtain response data, and returns it to the service access process.
- the security client determines that the service request is valid, that is, the call of the service access process to the service interface is valid, the security client responds to the raw parameter raw_param in the service request, and obtains the response data resultdata.
- the specific content is not limited, and can be set according to the actual business.
- An example of a data packet returned by the security client to the service access process is as follows.
- retcode represents the response code for the service request sent by the service access process. If retcode is 0, it means that the invocation of the service interface is successful; if retcode is 1, it means that the invocation of the service interface fails; if retcode is 2, It means that the access_key (or aes_key) has expired, and the service access process needs to resend the authentication request, that is, re-execute step 2).
- the symmetric key required for interface authentication may be periodically updated at the security management end, and at each update, the security server may set all access_id and access_key (or aes_key) before the update to invalid, Thus, the service access process is triggered to call the authentication interface of the security client again to obtain the updated access_id and access_key.
- access_id and access_key can be configured on the security management end in this embodiment of the present application, for example, the service access process itself and the service route sent when the service access process calls the authentication interface can be distinguished .
- the service routes include path1, path2, and path3, and when the service access process B calls the authentication interface, the service routes include path4 and path5.
- the granularity division scheme may include the following: Three:
- the security server simultaneously distinguishes service access processes and service routes, that is, assigns different access_id and access_key combination pairs for different service access processes, and also assigns different access_id and access_key combination pairs for different service routes of the same service access process. .
- service access processes and service routes that is, assigns different access_id and access_key combination pairs for different service access processes, and also assigns different access_id and access_key combination pairs for different service routes of the same service access process.
- the security server only distinguishes service access processes, not service routes, that is, assigns different access_id and access_key combination pairs to different service access processes, and assigns the same access_id and access_key combination to different service routes of the same service access process right. For example, for path1, path2 and path3 of service access process A, a set of access_id and access_key combination pairs are uniformly allocated; for path4 and path5 of service access process B, another set of access_id and access_key combination pairs are uniformly allocated.
- the security server does not distinguish between service access processes and service routes, that is, for all service routes of all service access processes, a set of access_id and access_key combination pairs are uniformly allocated.
- administrators can use any of the above granularity division schemes according to the level of management and control of the enterprise.
- the security server can configure at least one of the maximum number of times of use and the effective use time, so as to realize regular update of access_id and access_key and improve security.
- the security client can effectively verify the legitimacy of the service access process by performing verification processing on the process path and signature information of the service access process; It can accurately verify whether the business access process is a malicious process.
- the embodiment of the present application not only improves the verification accuracy of the service access process, but also improves the efficiency of the compliant service access process accessing the security client.
- the embodiments of the present application provide an interface authentication scheme verified by dynamic keys and self-defined verification information, which can encrypt business communication according to the symmetric key issued by the security server, so as to avoid the problem of key storage being cracked; , the service key information can be periodically updated, thereby enhancing the security of interface calls; it also allows administrators to distinguish service key information through different granularity division schemes according to the degree of control of each service, improving the ability to understand different services and different scenarios. applicability.
- the software module stored in the service communication device 455 of the memory 450 may include: receiving The module 4551 is used to receive the authentication request sent by the service access process; the verification module 4552 is used to perform synchronous verification processing on the service access process, and perform asynchronous verification processing on the service access process; The synchronous verification processing result of the service access process determines the service key information allocated to the service access process; the sending module 4554 is used to send the service key information to the service access process, so as to perform communication with the service based on the service key information. Encrypted service communication between access processes; the connection control module 4555 is configured to control the communication connection with the service access process for carrying encrypted service communication according to the asynchronous verification processing result of the service access process.
- the verification module 4552 is further configured to: take the matching result between the process path of the service access process and the set security directory as the first verification processing result; The verification process is performed to obtain a second verification process result; according to the first verification process result and the second verification process result, the synchronous verification process result for the service access process is determined.
- the verification module 4552 is further configured to, according to whether the signature information includes the result of the digital signature, the verification processing result of the validity of the digital signature, the matching result between the signer of the digital signature and the blacklist of signers, and the signature At least one of the matching results between the certificate information in the information and the certificate information blacklist determines the second verification processing result.
- the verification module 4552 is further configured to: determine the digital signature in the signature information and the decryption key corresponding to the digital signature; perform decryption processing on the digital signature according to the decryption key to obtain the process of the service access process
- Validity verification processing result is further configured to: determine the digital signature in the signature information and the decryption key corresponding to the digital signature; perform decryption processing on the digital signature according to the decryption key to obtain the process of the service access process
- the first hash result of the file the process file of the service access process is hashed to obtain the second hash result
- the matching result between the first hash result and the second hash result is used as the digital signature.
- the authentication request includes a public key in an asymmetric key pair generated by the service access process; wherein the asymmetric key pair includes a public key and a private key corresponding to the public key; the sending module 4554, further Used for: encrypting the service key information according to the public key; sending the encrypted service key information to the service access process, so that the service access process decrypts the encrypted service key information according to the private key .
- the service key information includes a key identifier and a symmetric key
- the service communication device 455 further includes: a service receiving module, configured to receive a service request sent by the service access process; wherein the service request includes the key identifier , and the request data encrypted by the symmetric key; the query module is used to query the symmetric key corresponding to the key identifier in the service request in the allocated symmetric key; the decryption module is used to query the symmetric key according to the The symmetric key is used to decrypt the encrypted request data in the service request; the response module is used to respond to the request data obtained by the decryption processing to obtain the response data; the encrypted sending module is used to analyze the response data according to the public key Perform encryption processing, and send the encrypted response data to the service access process, so that the service access process decrypts the encrypted response data according to the private key.
- the service request further includes a timestamp and first verification information; wherein, the first verification information is the service access process pair key identifier, symmetric key, timestamp, and encrypted data using the symmetric key.
- the request data is obtained by hashing; the response module is also used to: perform hashing on the key identifier, the queried symmetric key, the timestamp, and the encrypted request data to obtain the second verification information;
- a response processing is performed on the request data obtained by the decryption processing.
- the service communication device 455 further includes: an expiration processing module, configured to send expiration information to the service access process when the queried use parameter of the symmetric key meets the expiration parameter condition, so as to enable the service access The process resends the authentication request when receiving the expired information; wherein the use parameter includes at least one of the number of times of use and the duration of use.
- the authentication request includes an authentication request address; the determining module 4553 is further configured to perform any one of the following processing: assign different service key information to authentication request addresses sent by different service access processes, Different authentication request addresses sent by the same service access process are assigned different service key information; different authentication request addresses sent by different service access processes are assigned different service key information, and different authentication request addresses sent by the same service access process
- assign different service key information is allocated to the authorization request address; the same service key information is allocated to the authentication request addresses sent by different service access processes, and the same service key is allocated to different authentication request addresses sent by the same service access process. information.
- the verification module 4552 is further configured to: periodically match the process information of the service access process with the process information blacklist, and use the obtained matching result as the asynchronous verification processing result of the service access process .
- the determining module 4553 is further configured to: when the result of the synchronous verification processing on the service access process is that the verification is successful, determine the service key information allocated to the service access process; When the result of the synchronous verification processing is verification failure, perform any one of the following processing: notify the service access process to resend the authentication request; disconnect the communication connection with the service access process for transmitting the authentication request; interrupt the service access process.
- Asynchronous validation processing for incoming processes is further configured to: when the result of the synchronous verification processing on the service access process is that the verification is successful, determine the service key information allocated to the service access process; When the result of the synchronous verification processing is verification failure, perform any one of the following processing: notify the service access process to resend the authentication request; disconnect the communication connection with the service access process for transmitting the authentication request; interrupt the service access process.
- Asynchronous validation processing for incoming processes are further configured to: when the result of the synchronous verification processing on the service access process is that the verification is successful, determine the service key information allocated to the service access process;
- connection control module 4555 is further configured to: when the result of the asynchronous verification processing on the service access process is that the verification is successful, maintain the communication connection with the service access process for carrying encrypted service communication; when When the asynchronous verification processing result of the service access process is that the verification fails, the communication connection with the service access process for carrying the encrypted service communication is disconnected.
- the service communication device 455 further includes: an encrypted communication module, configured to: in the process of encrypting the service communication, perform the following processing: receive a credential request sent by the service access process; wherein, the credential request is a service access Sent by the process when it intercepts the service request of the application process, and the destination address of the service request is the address of the service server; performs synchronous verification processing on the application process; determines the business credentials allocated to the application process according to the synchronous verification processing result of the application process and gateway address, and send the service credential and gateway address to the service access process, so that the service access process sends the service credential and service request to the service gateway corresponding to the gateway address;
- the voucher is verified, and when the verification processing result of the business voucher is that the verification is successful, the received business request is sent to the business server; the business server is used for responding to the request data in the received business request.
- the encrypted communication module is further configured to: determine the user account in the logged-in state in the device where the application process is located, and obtain process information of the trusted application process corresponding to the user account and accessible service servers corresponding to the user account address; use the matching result between the process information of the application process and the process information of the trusted application process as the third verification processing result; compare the address of the service server requested by the service request and the address of the accessible service server The matching result is taken as the fourth verification processing result; the device information of the device where the application process is located is obtained, and the matching result between the device information and the device security condition is taken as the fifth verification processing result; according to the third verification processing result, the fourth verification processing result The verification processing result and the fifth verification processing result are used to determine the synchronization verification processing result for the application process.
- the encrypted communication module is further configured to: periodically match the process information of the application process with the process information blacklist, and use the obtained matching result as an asynchronous verification processing result for the application process;
- the asynchronous verification processing result of the control and the service access process is used to carry the communication connection of encrypted service communication.
- Embodiments of the present application provide a computer program product or computer program, where the computer program product or computer program includes computer instructions (executable instructions), and the computer instructions are stored in a computer-readable storage medium.
- the processor of the computer device reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the computer device executes the service communication method described above in the embodiment of the present application
- the embodiments of the present application provide a computer-readable storage medium storing executable instructions, wherein the executable instructions are stored, and when the executable instructions are executed by a processor, the processor will cause the processor to execute the method provided by the embodiments of the present application, for example , the service communication method shown in FIG. 4A , FIG. 4B , FIG. 4C , FIG. 4D and FIG. 4E .
- the computer-readable storage medium may be memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash memory, magnetic surface memory, optical disk, or CD-ROM; it may also include one or any combination of the foregoing memories Various equipment.
- executable instructions may take the form of programs, software, software modules, scripts, or code, written in any form of programming language, including compiled or interpreted languages, or declarative or procedural languages, and which Deployment may be in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
- executable instructions may, but do not necessarily correspond to files in a file system, may be stored as part of a file that holds other programs or data, for example, a Hyper Text Markup Language (HTML, Hyper Text Markup Language) document
- HTML Hyper Text Markup Language
- One or more scripts in stored in a single file dedicated to the program in question, or in multiple cooperating files (eg, files that store one or more modules, subroutines, or code sections).
- executable instructions may be deployed to be executed on one computing device, or on multiple computing devices located at one site, or alternatively, distributed across multiple sites and interconnected by a communication network execute on.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (21)
- 一种业务通信方法,由电子设备执行,所述方法包括:接收业务接入进程发送的鉴权请求;对所述业务接入进程进行同步验证处理,对所述业务接入进程进行异步验证处理;根据对所述业务接入进程的同步验证处理结果,确定为所述业务接入进程分配的业务密钥信息;将所述业务密钥信息发送至所述业务接入进程,以基于所述业务密钥信息进行与所述业务接入进程之间的加密业务通信;根据对所述业务接入进程的异步验证处理结果,控制与所述业务接入进程之间用于承载所述加密业务通信的通信连接。
- 根据权利要求1所述的方法,其中,所述对所述业务接入进程进行同步验证处理,包括:将所述业务接入进程的进程路径与设定的安全目录之间的匹配结果,作为第一验证处理结果;对所述业务接入进程的签名信息进行验证处理,得到第二验证处理结果;根据所述第一验证处理结果及所述第二验证处理结果,确定对所述业务接入进程的同步验证处理结果。
- 根据权利要求2所述的方法,其中,所述对所述业务接入进程的签名信息进行验证处理,得到第二验证处理结果,包括:根据所述签名信息是否包括数字签名的结果、所述数字签名的有效性验证处理结果、所述数字签名的签名方与签名方黑名单之间的匹配结果、以及所述签名信息中的证书信息与证书信息黑名单之间的匹配结果中的至少之一,确定第二验证处理结果。
- 根据权利要求3所述的方法,其中,所述方法还包括:确定所述签名信息中的数字签名、以及与所述数字签名对应的解密密钥;根据所述解密密钥对所述数字签名进行解密处理,得到所述业务接入进程的进程文件的第一哈希结果;对所述业务接入进程的进程文件进行哈希处理,得到第二哈希结果;将所述第一哈希结果与所述第二哈希结果之间的匹配结果,作为所述数字签名的有效性验证处理结果。
- 根据权利要求1所述的方法,其中,所述鉴权请求包括所述业务接入进程生成的非对称密钥对中的公钥;其中,所述非对称密钥对包括所述公钥以及与所述公钥对应的私钥;所述将所述业务密钥信息发送至所述业务接入进程,包括:根据所述公钥对所述业务密钥信息进行加密处理;将加密后的所述业务密钥信息发送至所述业务接入进程,以使所述业务接入进程根据所述私钥对加密后的所述业务密钥信息进行解密处理。
- 根据权利要求5所述的方法,其中,所述业务密钥信息包括密钥标识及对称密钥;所述将加密后的所述业务密钥信息发送至所述业务接入进程之后,所述方法还包括:接收所述业务接入进程发送的业务请求;其中,所述业务请求包括所述密钥标识、以及利用所述对称密钥加密后的请求数据;在已分配的对称密钥中,查询与所述业务请求中的所述密钥标识对应的对称密钥;根据查询到的对称密钥,对所述业务请求中的加密后的请求数据进行解密处理;对解密处理得到的请求数据进行响应处理,得到响应数据;根据所述公钥对所述响应数据进行加密处理,并将加密后的所述响应数据发送至所述业务接入进程,以使所述业务接入进程根据所述私钥对加密后的所述响应数据进行解密处理。
- 根据权利要求6所述的方法,其中,所述业务请求还包括时间戳及第一校验信息;其中,所述第一校验信息是所述业务接入进程对所述密钥标识、所述对称密钥、所述时间戳、以及利用所述对称密钥加密后的请求数据进行哈希处理得到的;所述对解密处理得到的请求数据进行响应处理,包括:对所述密钥标识、所述查询到的对称密钥、所述时间戳、以及所述加密后的请求数据进行哈希处理,得到第二校验信息;当所述第一校验信息与所述第二校验信息之间的匹配结果为匹配成功时,对解密处理得到的请求数据进行响应处理。
- 根据权利要求6所述的方法,其中,所述在已分配的对称密钥中,查询与所述业务请求中的所述密钥标识对应的对称密钥之后,所述方法还包括:当查询到的对称密钥的使用参数满足过期参数条件时,将过期信息发送至所述业务接入进程,以使所述业务接入进程在接收到所述过期信息时重新发送鉴权请求;其中,所述使用参数包括使用次数以及使用时长中的至少一种。
- 根据权利要求1所述的方法,其中,所述鉴权请求包括鉴权请求地址;所述确定为所述业务接入进程分配的业务密钥信息,包括:执行以下任意一种处理:针对不同所述业务接入进程发送的鉴权请求地址分配不同的业务密钥信息,针对同一所述业务接入进程发送的不同鉴权请求地址分配不同的业务密钥信息;针对不同所述业务接入进程发送的鉴权请求地址分配不同的业务密钥信息,针对同一所述业务接入进程发送的不同鉴权请求地址分配相同的业务密钥信息;针对不同所述业务接入进程发送的鉴权请求地址分配相同的业务密钥信息,针对同一所述业务接入进程发送的不同鉴权请求地址分配相同的业务密钥信息。
- 根据权利要求1所述的方法,其中,所述根据对所述业务接入进程的同步验证处理结果,确定为所述业务接入进程分配的业务密钥信息,包括:当对所述业务接入进程的同步验证处理结果为验证成功时,确定为所述业务接入进程分配的业务密钥信息;所述方法还包括:当对所述业务接入进程的同步验证处理结果为验证失败时,执行以下任意一种处理:通知所述业务接入进程重新发送鉴权请求;断开与所述业务接入进程之间用于传输所述鉴权请求的通信连接;中断对所述业务接入进程的异步验证处理。
- 根据权利要求1所述的方法,其中,所述根据对所述业务接入进程的异步验证处理结果,控制与所述业务接入进程之间用于承载所述加密业务通信的通信连接,包括:当对所述业务接入进程的异步验证处理结果为验证成功时,维持与所述业务接入进程之间用于承载所述加密业务通信的通信连接;当对所述业务接入进程的异步验证处理结果为验证失败时,断开与所述业务接入进程之间用于承载所述加密业务通信的通信连接。
- 根据权利要求1至11任一项所述的方法,其中,所述方法还包括:在所述加密业务通信的过程中,执行以下处理:接收所述业务接入进程发送的凭证请求;其中,所述凭证请求是所述业务接入进程在拦截到应用进程的业务请求时发送的,所述业务请求的目的地址为业务服务器的地址;对所述应用进程进行同步验证处理;根据对所述应用进程的同步验证处理结果,确定为所述应用进程分配的业务凭证及网关地址,并将所述业务凭证及所述网关地址发送至所述业务接入进程,以使所述业务接入进程将所述业务凭证及所述业务请求发送至所述网关地址对应的业务网关;其中,所述业务网关用于对接收到的所述业务凭证进行验证处理,并在对所述业务凭证的验证处理结果为验证成功时,将接收到的所述业务请求发送至所述业务服务器;所述业务服务器用于对接收到的所述业务请求中的请求数据进行响应处理。
- 根据权利要求12所述的方法,其中,所述对所述应用进程进行同步验证处理,包括:确定所述应用进程所在设备中处于登录态的用户账号,并获取所述用户账号对应的可信应用进程的进程信息、以及所述用户账号对应的可访问的业务服务器的地址;将所述应用进程的进程信息与所述可信应用进程的进程信息之间的匹配结果,作为第三验证处理结果;将所述业务请求所请求的业务服务器的地址与所述可访问的业务服务器的地址之间的匹配结果,作为第四验证处理结果;获取所述应用进程所在设备的设备信息,并将所述设备信息与设备安全条件之间的匹配结果,作为第五验证处理结果;根据所述第三验证处理结果、所述第四验证处理结果及所述第五验证处理结果,确定对所述应用进程的同步验证处理结果。
- 根据权利要求12所述的方法,其中,所述接收所述业务接入进程发送的凭证请求之后,所述方法还包括:周期性地将所述应用进程的进程信息与进程信息黑名单进行匹配,并将得到的匹配结果作为对所述应用进程的异步验证处理结果;根据对所述应用进程的异步验证处理结果,控制与所述业务接入进程之间用于承载所述加密业务通信的通信连接。
- 根据权利要求1至11任一项所述的方法,其中,所述对所述业务接入进程进行异步验证处理,包括:周期性地将所述业务接入进程的进程信息与进程信息黑名单进行匹配,并将得到的匹配结果作为对所述业务接入进程的异步验证处理结果。
- 一种业务通信系统,包括业务接入客户端、安全客户端及安全服务器;其中,所述业务接入客户端运行有业务接入进程;所述安全客户端,用于:接收所述业务接入进程发送的鉴权请求;对所述业务接入进程进行同步验证处理,通知所述安全服务器对所述业务接入进程进行异步验证处理;根据对所述业务接入进程的同步验证处理结果,确定为所述业务接入进程分配的业务密钥信息;将所述业务密钥信息发送至所述业务接入进程,以基于所述业务密钥信息进行与所述业务接入进程之间的加密业务通信;根据所述安全服务器对所述业务接入进程的异步验证处理结果,控制与所述业务接入进程之间用于承载所述加密业务通信的通信连接。
- 根据权利要求16所述的系统,其中,所述安全客户端,还用于:接收所述业务接入进程发送的凭证请求;其中,所述凭证请求是所述业务接入进程在拦截到应用进程的业务请求时发送的,所述业务请求的目的地址为业务服务器的地址;通知所述安全服务器对所述应用进程进行同步验证处理;所述安全服务器,用于根据对所述应用进程的同步验证处理结果,确定为所述应用进程分配的业务凭证及网关地址,并将所述业务凭证及所述网关地址通过所述安全客户端发送至所述业务接入进程;所述业务接入客户端,还用于将所述业务凭证及所述业务请求通过所述业务接入进程发送至所述网关地址对应的业务网关;其中,所述业务网关用于对接收到的所述业务凭证进行验证处理,并在对所述业务凭证的验证处理结果为验证成功时,将接收到的所述业务请求发送至所述业务服务器;所述业务服务器用于对接收到的所述业务请求中的请求数据进行响应处理。
- 一种业务通信装置,所述装置包括:接收模块,配置为接收业务接入进程发送的鉴权请求;验证模块,配置为对所述业务接入进程进行同步验证处理,对所述业务接入进程进行异步验证处理;确定模块,配置为根据对所述业务接入进程的同步验证处理结果,确定为所述业务接入进程分配的业务密钥信息;发送模块,配置为将所述业务密钥信息发送至所述业务接入进程,以基于所述业务密钥信息进行与所述业务接入进程之间的加密业务通信;连接控制模块,配置为根据对所述业务接入进程的异步验证处理结果,控制与所述业务接入进程之间用于承载所述加密业务通信的通信连接。
- 一种电子设备,所述电子设备包括:存储器,用于存储可执行指令;处理器,用于执行所述存储器中存储的可执行指令时,实现权利要求1至15任一项所述的业务通信方法。
- 一种计算机可读存储介质,存储有可执行指令,所述可执行指令被处理器执行时实现权利要求1至15任一项所述的业务通信方法。
- 一种计算机程序产品,包括可执行指令,所述可执行指令被处理器执行时实现权利要求1至15任一项所述的业务通信方法。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020237008870A KR20230048431A (ko) | 2020-11-05 | 2021-10-22 | 서비스 통신 방법, 시스템, 장치 및 전자 디바이스 |
EP21888427.8A EP4181460A4 (en) | 2020-11-05 | 2021-10-22 | SERVICE COMMUNICATION METHOD, SYSTEM AND DEVICE AND ELECTRONIC DEVICE |
JP2023515835A JP2023541599A (ja) | 2020-11-05 | 2021-10-22 | サービス通信方法、システム、装置及び電子機器 |
US17/974,067 US20230056432A1 (en) | 2020-11-05 | 2022-10-26 | Service communication method, system, apparatus, electronic device, and storage medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011222173.X | 2020-11-05 | ||
CN202011222173.XA CN112422532B (zh) | 2020-11-05 | 2020-11-05 | 业务通信方法、系统、装置及电子设备 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/974,067 Continuation US20230056432A1 (en) | 2020-11-05 | 2022-10-26 | Service communication method, system, apparatus, electronic device, and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022095730A1 true WO2022095730A1 (zh) | 2022-05-12 |
Family
ID=74827887
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/125653 WO2022095730A1 (zh) | 2020-11-05 | 2021-10-22 | 业务通信方法、系统、装置及电子设备 |
Country Status (6)
Country | Link |
---|---|
US (1) | US20230056432A1 (zh) |
EP (1) | EP4181460A4 (zh) |
JP (1) | JP2023541599A (zh) |
KR (1) | KR20230048431A (zh) |
CN (1) | CN112422532B (zh) |
WO (1) | WO2022095730A1 (zh) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115529352A (zh) * | 2022-09-20 | 2022-12-27 | 蚂蚁区块链科技(上海)有限公司 | 计算服务的路由处理方法及装置 |
CN117240910A (zh) * | 2023-11-16 | 2023-12-15 | 中邮消费金融有限公司 | 零信任校验系统以及方法 |
WO2024083978A1 (fr) * | 2022-10-21 | 2024-04-25 | Orange | Procédé de traitement d'une requête d'exécution d'un service dans un réseau de communication, procédé de validation de la requête, entité intermédiaire, entité de validation, système et programme d'ordinateur correspondants |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112422532B (zh) * | 2020-11-05 | 2024-02-23 | 腾讯科技(深圳)有限公司 | 业务通信方法、系统、装置及电子设备 |
CN113259319B (zh) * | 2021-04-12 | 2023-05-12 | 杭州顶象科技有限公司 | 验证处理方法及系统 |
CN113242230B (zh) * | 2021-05-07 | 2022-09-06 | 中国科学技术大学 | 一种基于智能合约的多级认证与访问控制系统及方法 |
CN114172664B (zh) * | 2021-12-07 | 2024-02-09 | 天融信雄安网络安全技术有限公司 | 数据加密、数据解密方法、装置、电子设备及存储介质 |
CN114650216A (zh) * | 2022-03-22 | 2022-06-21 | 阿里云计算有限公司 | 安全防护方法及装置 |
CN114938278B (zh) * | 2022-04-11 | 2023-10-31 | 北京邮电大学 | 一种零信任访问控制方法及装置 |
CN116204543B (zh) * | 2023-05-04 | 2023-08-08 | 天津金城银行股份有限公司 | 一种票据保活的方法、系统、计算机和可读存储介质 |
CN116614312B (zh) * | 2023-07-19 | 2024-04-09 | 北京云尚汇信息技术有限责任公司 | 一种云计算系统的安全验证方法及系统 |
CN117201192A (zh) * | 2023-11-06 | 2023-12-08 | 国家计算机网络与信息安全管理中心 | 一种基于环境度量的零信任单包通信方法及系统 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106790080A (zh) * | 2016-12-22 | 2017-05-31 | 深圳新众诚科技有限公司 | 业务系统和电子凭证系统之间的网络安全通信方法与装置 |
CN110535648A (zh) * | 2018-05-24 | 2019-12-03 | 腾讯科技(深圳)有限公司 | 电子凭证生成及验证和密钥控制方法、装置、系统和介质 |
CN110535807A (zh) * | 2018-05-24 | 2019-12-03 | 腾讯科技(深圳)有限公司 | 一种业务鉴权方法、装置和介质 |
CN111212075A (zh) * | 2020-01-02 | 2020-05-29 | 腾讯云计算(北京)有限责任公司 | 业务请求的处理方法、装置、电子设备及计算机存储介质 |
US20200259827A1 (en) * | 2018-12-04 | 2020-08-13 | Journey.ai | Providing access control and identity verification for communications when initiating a communication from an entity to be verified |
CN112422532A (zh) * | 2020-11-05 | 2021-02-26 | 腾讯科技(深圳)有限公司 | 业务通信方法、系统、装置及电子设备 |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107040513B (zh) * | 2016-06-30 | 2020-06-02 | 郭铮铮 | 一种可信访问认证处理方法、用户终端和服务端 |
US11973745B2 (en) * | 2018-12-04 | 2024-04-30 | Journey.ai | Performing concealed transactions using a zero-knowledge data management network |
AU2020217563A1 (en) * | 2019-02-05 | 2021-09-30 | Ethopass, Llc | Security system and related methods |
CN110569649A (zh) * | 2019-08-21 | 2019-12-13 | 上海易点时空网络有限公司 | 基于异步处理的数据接入服务接口鉴权方法及装置 |
CN111211908B (zh) * | 2019-12-25 | 2023-03-03 | 深圳供电局有限公司 | 访问控制方法、系统、计算机设备和存储介质 |
-
2020
- 2020-11-05 CN CN202011222173.XA patent/CN112422532B/zh active Active
-
2021
- 2021-10-22 JP JP2023515835A patent/JP2023541599A/ja active Pending
- 2021-10-22 WO PCT/CN2021/125653 patent/WO2022095730A1/zh unknown
- 2021-10-22 KR KR1020237008870A patent/KR20230048431A/ko unknown
- 2021-10-22 EP EP21888427.8A patent/EP4181460A4/en active Pending
-
2022
- 2022-10-26 US US17/974,067 patent/US20230056432A1/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106790080A (zh) * | 2016-12-22 | 2017-05-31 | 深圳新众诚科技有限公司 | 业务系统和电子凭证系统之间的网络安全通信方法与装置 |
CN110535648A (zh) * | 2018-05-24 | 2019-12-03 | 腾讯科技(深圳)有限公司 | 电子凭证生成及验证和密钥控制方法、装置、系统和介质 |
CN110535807A (zh) * | 2018-05-24 | 2019-12-03 | 腾讯科技(深圳)有限公司 | 一种业务鉴权方法、装置和介质 |
US20200259827A1 (en) * | 2018-12-04 | 2020-08-13 | Journey.ai | Providing access control and identity verification for communications when initiating a communication from an entity to be verified |
CN111212075A (zh) * | 2020-01-02 | 2020-05-29 | 腾讯云计算(北京)有限责任公司 | 业务请求的处理方法、装置、电子设备及计算机存储介质 |
CN112422532A (zh) * | 2020-11-05 | 2021-02-26 | 腾讯科技(深圳)有限公司 | 业务通信方法、系统、装置及电子设备 |
Non-Patent Citations (1)
Title |
---|
See also references of EP4181460A4 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115529352A (zh) * | 2022-09-20 | 2022-12-27 | 蚂蚁区块链科技(上海)有限公司 | 计算服务的路由处理方法及装置 |
WO2024083978A1 (fr) * | 2022-10-21 | 2024-04-25 | Orange | Procédé de traitement d'une requête d'exécution d'un service dans un réseau de communication, procédé de validation de la requête, entité intermédiaire, entité de validation, système et programme d'ordinateur correspondants |
FR3141301A1 (fr) * | 2022-10-21 | 2024-04-26 | Orange | Procédé de traitement d’une requête d’exécution d’un service dans un réseau de communication, procédé de validation de la requête, entité intermédiaire, entité de validation, système et programme d’ordinateur correspondants |
CN117240910A (zh) * | 2023-11-16 | 2023-12-15 | 中邮消费金融有限公司 | 零信任校验系统以及方法 |
CN117240910B (zh) * | 2023-11-16 | 2024-03-01 | 中邮消费金融有限公司 | 零信任校验系统以及方法 |
Also Published As
Publication number | Publication date |
---|---|
KR20230048431A (ko) | 2023-04-11 |
EP4181460A1 (en) | 2023-05-17 |
US20230056432A1 (en) | 2023-02-23 |
JP2023541599A (ja) | 2023-10-03 |
CN112422532B (zh) | 2024-02-23 |
EP4181460A4 (en) | 2024-01-03 |
CN112422532A (zh) | 2021-02-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2022095730A1 (zh) | 业务通信方法、系统、装置及电子设备 | |
US9621355B1 (en) | Securely authorizing client applications on devices to hosted services | |
US20200186358A1 (en) | Persistent network device authentication | |
US8782757B2 (en) | Session sharing in secure web service conversations | |
US8024488B2 (en) | Methods and apparatus to validate configuration of computerized devices | |
US9237021B2 (en) | Certificate grant list at network device | |
JP2019526993A (ja) | ネットワーク機能仮想化システム及び検証方法 | |
US20220103361A1 (en) | Enforcing a Segmentation Policy Using Cryptographic Proof of Identity | |
CN112149105A (zh) | 数据处理系统、方法、相关设备及存储介质 | |
US9325697B2 (en) | Provisioning and managing certificates for accessing secure services in network | |
WO2022100356A1 (zh) | 身份认证系统、方法、装置、设备及计算机可读存储介质 | |
WO2023065969A1 (zh) | 访问控制方法、装置及系统 | |
US11722303B2 (en) | Secure enclave implementation of proxied cryptographic keys | |
WO2021159818A1 (zh) | 秘钥访问控制方法和装置 | |
EP4096160A1 (en) | Shared secret implementation of proxied cryptographic keys | |
CN115473648A (zh) | 一种证书签发系统及相关设备 | |
Walsh et al. | Intra-cloud and inter-cloud authentication | |
US11804957B2 (en) | Exporting remote cryptographic keys | |
US11611541B2 (en) | Secure method to replicate on-premise secrets in a cloud environment | |
CN116846682B (zh) | 通信信道建立方法、装置、设备及介质 | |
US20230403138A1 (en) | Agentless single sign-on techniques | |
CN115130116A (zh) | 业务资源访问方法、装置、设备、可读存储介质及系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21888427 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2021888427 Country of ref document: EP Effective date: 20230207 |
|
ENP | Entry into the national phase |
Ref document number: 2023515835 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 20237008870 Country of ref document: KR Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |