WO2022121940A1 - Information processing method for service key, and serving end and system - Google Patents

Information processing method for service key, and serving end and system Download PDF

Info

Publication number
WO2022121940A1
WO2022121940A1 PCT/CN2021/136418 CN2021136418W WO2022121940A1 WO 2022121940 A1 WO2022121940 A1 WO 2022121940A1 CN 2021136418 W CN2021136418 W CN 2021136418W WO 2022121940 A1 WO2022121940 A1 WO 2022121940A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
key
service key
license
client
Prior art date
Application number
PCT/CN2021/136418
Other languages
French (fr)
Chinese (zh)
Inventor
孙吉平
念龙龙
Original Assignee
北京深思数盾科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN202011449128.8A external-priority patent/CN112565281B/en
Priority claimed from CN202011511456.6A external-priority patent/CN112671534B/en
Priority claimed from CN202011610457.6A external-priority patent/CN112733200B/en
Application filed by 北京深思数盾科技股份有限公司 filed Critical 北京深思数盾科技股份有限公司
Publication of WO2022121940A1 publication Critical patent/WO2022121940A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/10Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols with particular housing, physical features or manual controls

Definitions

  • the present application relates to the field of information security, and in particular, to an information processing method, server and system for a business key.
  • the purpose of the embodiments of the present application is to provide a service key information processing method, server and system, which can effectively prevent the service key from being leaked or illegally used, so that users can flexibly use the service key At the same time, the security of the business key is also guaranteed.
  • an information processing method for a service key, applied to a server including:
  • the first request information is used to request the server to use the stored service key to process the data to be processed, and the first request information includes at least one of the following: User information, personal key information and service key identification in a client;
  • license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
  • the service key is invoked to process the data to be processed, and a corresponding processing result is generated.
  • invoking the service key to process the data to be processed includes:
  • the license signature is valid
  • the license information is valid, wherein the first preset condition includes a condition that the license information is valid.
  • invoking the service key to process the data to be processed includes:
  • the first preset condition includes a condition that the first use information is consistent with the second use information.
  • the invoking the service key to process the data to be processed includes:
  • the encryption machine is called to process the data to be processed by using the service key, and a corresponding processing result is generated.
  • the obtaining the license information corresponding to the service key based on the first request information specifically includes:
  • the first request information further includes the first biometric feature of the user who requests the service key; the method further includes:
  • invoking the service key to process the data to be processed includes:
  • the service key is invoked to process the data to be processed.
  • the method further includes an operation of obtaining the service key, including:
  • Acquire second request information sent by a second client wherein the second request information includes user information and/or client key information in the second client, wherein the client key information includes all the public key of the personal key and/or the identity of the personal key in the second client;
  • Binding the user information and/or client key information with the generated service key Binding the user information and/or client key information with the generated service key.
  • the method further includes an operation of obtaining the service key, including:
  • client key information includes the public key of the personal key in the second client and/or or the identification of a personal key
  • the method further includes receiving license information sent by the second client and signed by the license, wherein the license information further includes licensee information and/or licensee personal key information.
  • the method further includes receiving the data to be processed sent by the first client, wherein the data to be processed is signed based on a personal key.
  • the method further includes:
  • the encrypted processing result is sent to the first client, so that the first client decrypts the processing result through the private key of the personal key.
  • the license terms include at least one of the following: license effective time, license expiration time, license usage times, and usage information.
  • the embodiment of the present application also provides a method for processing information of a service key, which is applied to the first client and includes:
  • the server sends the first request information to the server, so that the server obtains the license information corresponding to the service key based on the first request information, wherein the first request information is used to request the server to use the stored service key processing data to be processed;
  • the first request information includes at least one of the following: user information, personal key information and service key identification in the first client;
  • the license information includes at least one License terms for Business Keys;
  • the embodiment of the present application also provides a server, including:
  • a first obtaining module configured to: obtain first request information sent by a first client, wherein the first request information is used to request the server to use the stored service key to process data to be processed, and the first request
  • the information includes at least one of the following: user information, personal key information and service key identification in the first client;
  • a second obtaining module configured to: obtain license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
  • a processing module which is configured to: in the case of determining that the license information meets the first preset condition, call the service key to process the data to be processed, and generate a corresponding processing result.
  • Embodiments of the present application further provide an information processing system, including the above-mentioned server, and at least one of the above-mentioned first clients.
  • Embodiments of the present application further provide a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are run on a computer, the following steps are implemented:
  • the first request information is used to request the server to use the stored service key to process the data to be processed, and the first request information includes at least one of the following: User information, personal key information and service key identification in a client;
  • license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
  • the service key is invoked to process the data to be processed, and a corresponding processing result is generated.
  • the server can escrow the service key to prevent the service key from being leaked or illegally used.
  • the request information sent by the client corresponding to the user can be analyzed and judged to determine whether the request information conforms to the license terms set by the service key owner, so that the user can flexibly use the service key.
  • the security of the business key is also guaranteed.
  • FIG. 1 is a flowchart of a service key information processing method according to an embodiment of the application applied to a server;
  • FIG. 2 is a flowchart of an embodiment of step S3 in FIG. 1 according to an embodiment of the application;
  • step S3 in FIG. 1 is a flowchart of another embodiment of step S3 in FIG. 1 according to an embodiment of the application;
  • FIG. 4 is a flowchart of the application of the method for processing service key information according to an embodiment of the present application to a first client;
  • FIG. 5 is a structural block diagram of a server according to an embodiment of the present application.
  • An information processing method for a service key is applied to a server, where the server may be a server or other electronic device with functions similar to the server, and the method can use the server to escrow the service key.
  • the server can connect with at least one client and implement data interaction.
  • the first client sends first request information to the server, where the first request information is used to request the server to process the data to be processed by using the stored service key.
  • the service key is stored on the server so that it can be called at any time. It should be noted that the service key of this application is not handed over to the client but is kept by the server to ensure the security of the service key.
  • the service key can also be sent to the server in advance by the first client with authority or other clients (such as the client where the owner of the service key is located), so that the service key is stored when used. on the server for use.
  • the server can obtain the license information corresponding to the service key based on the first request information, including the user information, personal key information and / or service key identification to obtain license information.
  • the server can start the acquisition action.
  • the license information can be provided by the client to the server, and the server can also obtain it from the storage in real time.
  • the license information and/or the service key meet the first preset condition, if the license information is valid, the license information and the first request information do not logically contradict, and the content and service represented by the first request information If the purpose of the key is the same, the business key is called to process the data to be processed, and the processing result is obtained.
  • the server can escrow the service key to prevent the service key from being leaked or illegally used.
  • the server can analyze and judge the request information sent by the client corresponding to the user to determine whether the request information conforms to the license terms set by the service key owner, so that the user can use the service flexibly At the same time, the security of the business key is also guaranteed.
  • FIG. 1 is a flowchart of a service key information processing method according to an embodiment of the present application applied to a server.
  • the information processing method of the embodiment of the present application can be applied to a server, including a server or other electronic equipment with a service function. As shown in FIG. 1 , the method includes the following steps:
  • S1 Acquire first request information sent by a first client, where the first request information is used to request the server to use the stored service key to process data to be processed, and the first request information includes at least one of the following: User information, personal key information and service key identifier in the first client.
  • the server can be connected with one or more clients, and the user of the service key or the owner of the service key has corresponding clients.
  • the owner of the service key can also be the user of the service key, which is not limited here.
  • the first client may be the client corresponding to the user of the service key.
  • the first client sends first request information to the server, so as to request the server to process the data to be processed by using the kept service key.
  • the first request information includes at least one of the following: user information, personal key information and service key identification in the first client.
  • the user information can be the relevant information of the user of the service key;
  • the personal key information can be the personal key possessed by the user, such as the public key of the personal key and/or the ID of the personal key, etc.;
  • the key identifier may be information related to the service key requested by the user, such as the ID of the requested service key.
  • S2 Acquire license information corresponding to the service key based on the first request information, where the license information includes at least one license clause for using the service key.
  • the server can obtain the license information corresponding to the service key according to at least one feature information included in the first request information.
  • the corresponding license information is obtained according to the user's user information, personal key information and service key identifier.
  • the license information can be pre-stored by the server or obtained by the server from the client.
  • the license information includes at least one license term for using the service key.
  • the license terms can be specific to what is licensed by the owner of the service key. Of course, if the same service key corresponds to different first clients, the license terms may not be the same. This enables the service key to have different usage modes for different users, and the usage modes are flexible.
  • the license terms characterize how the service key is used. For example, the validity time of the license, the expiration time of the license, the number of times of use of the license, and the usage information, etc., so as to ensure that the user can use the service key while also ensuring that the service key cannot be illegally used.
  • the server needs to analyze and judge the license information to ensure that the license information is valid and the license information also needs to be adapted to the functions of the user and the service key expressed by the first request information.
  • the license information needs to be analyzed and judged to determine that the license information complies with the first preset condition. If the license information meets the first preset condition, the server can call the service key to process the data to be processed, and generate a corresponding The processing result is processed, and the server can also send the processing result to the first client, thereby meeting the usage requirements of the user of the service key.
  • the specific content of the first preset condition may be set according to actual usage requirements, for example, it may be set according to the specific content of the service key and the degree of confidentiality of the service key by the server.
  • the service key is invoked to process the data to be processed, as shown in FIG. 2 , including the following: step:
  • the license signature determines whether the license information is valid based on the license signature, wherein the first preset condition includes a condition that the license information is valid.
  • the license signature may be a signature possessed by the owner of the service key, thereby ensuring that the owner of the service key agrees to license the service key, and also ensuring the legality and validity of the license information.
  • the validity of the signature can be verified based on the public key of the owner of the business key when having the permission to verify that the signature is valid.
  • the owner's public key may be provided by the second client corresponding to the owner. If the license signature is valid, it can be verified whether the license information is valid based on the license signature.
  • the first preset condition includes a condition that the license information is valid, that is, the validity of the license information may be a precondition that the license information meets the first preset condition. Of course, the first preset condition may also include other conditions.
  • the service key is invoked to process the data to be processed, as shown in FIG. 3 , including the following: step:
  • S34 Determine whether the first usage information is consistent with the second usage information, wherein the first preset condition includes a condition that the first usage information is consistent with the second usage information.
  • the service key is invoked to process the data to be processed; on the other hand, when it is determined that the license information and/or the service key meet the first preset condition In the case of conditions, call the business key to process the data to be processed.
  • the license clause includes first usage information for using the service key
  • the first request information also includes second usage information for using the service key, such as encryption, signature and other purposes. If the first usage information is consistent with the second usage information, it may be a sub-condition of the first preset condition. That is to say, the first purpose information and the second purpose information need to be consistent to start calling the service key.
  • the service key in the license clause is used for signature, and the purpose of the requested service key in the first request information is also used for signature, you can It is considered that the first usage information and the second usage information match.
  • the service key itself has third purpose information, such as the purpose of encryption, decryption, signature, signature verification, calculation of mac, and so on.
  • the first usage information, the second usage information, and the third usage information are all consistent, it can be considered that the sub-conditions of the first preset condition are satisfied.
  • the first client corresponding to the user initiates a "signature" request, and the server checks whether the licensed use of the business key includes the "signature" function. signature function, and the first request information also requests to use the service key to sign, it can be considered that the situation cannot satisfy the first preset condition.
  • the invoking of the service key to process the data to be processed includes the following steps:
  • the encryption machine is called to process the data to be processed by using the service key, and a corresponding processing result is generated.
  • the server can use the service key to process the data to be processed; on the other hand, the server can also call the encryption machine to process the data to be processed on the service key.
  • the encryption machine can be connected with the server and can exchange data with the server, and the business key can be encrypted by the encryption machine and stored in the server.
  • the service key is encrypted with a specific key possessed by the encryption machine, the check value is calculated, and then the service key is stored in the server, so as to ensure the security of the service key.
  • the encryption machine can call the service key through the server, and decrypt the service key with its own specific key, for example, use a unique AES symmetric key to decrypt the service key. key for encryption and/or decryption.
  • the encryption machine uses the service key to process the data to be processed to generate a corresponding processing result. and send the processing result to the server.
  • the server can send the processing result to the first client, thereby meeting the usage requirements of the user of the service key.
  • the specific content of the first preset condition can be set according to actual use requirements, and can also be set according to the specific content of the service key and the degree of confidentiality of the service key.
  • the encryption machine can use the decrypted service key to process the data to be processed, without the need for the server to use the service key to process the data to be processed, which also saves system resources of the server.
  • the encryption machine sends the generated processing result to the server, and the server can return the processing result to the first client to meet the request user's requirement of using the service key.
  • the processing result can be encrypted based on the public key of the requesting user's personal key, thereby ensuring the security of the processing result during transmission. It also enables the server to ensure the security of the encrypted processing result when it is sent to the first client. After receiving the processing result, the first client can use the personal key corresponding to the first client. The private key is decrypted to obtain the specific processing data.
  • the obtaining the license information corresponding to the service key based on the first request information specifically includes:
  • the first client may be the client corresponding to the user who requests to use the service key, and the user information may be related information of the user of the service key; the personal key information may be owned by the user.
  • Personal keys such as the public key of the personal key and/or the ID of the personal key, etc.
  • the server may acquire the license information based on the above-mentioned user information, personal key information and/or service key identifier.
  • the first request information further includes the first biometric feature of the user who requests the service key; the method further includes:
  • invoking the service key to process the data to be processed includes:
  • the service key is invoked to process the data to be processed.
  • the first biometric feature may be one or more of the features requested to the user, such as facial features, fingerprint features, and iris features.
  • the first biometric feature can be used to authenticate the identity of the requesting user.
  • the first request information also includes user information, personal key information and/or service key identification of the requesting user.
  • the first request information includes the first biometric feature of the user requesting the service key, and the first biometric feature may be one or more of the features requested for the user, such as facial features, fingerprint features, and iris features.
  • the first request information may also include at least one of the following: user information, personal key information and service key identifiers in the first client.
  • the user information can be the relevant information of the requesting user of the service key
  • the personal key information can be the personal key possessed by the requesting user, such as the public key of the personal key and/or the ID of the personal key, etc.
  • the service key identifier may be information related to the service key requested by the user provided by the user, such as the ID of the requested service key.
  • one or more of the facial features, fingerprint features, and iris features in the first biometric feature of the requesting user may be analyzed. It is determined whether the above-mentioned first biometric feature meets the second preset condition, for example, whether it meets the biometric feature required by the owner of the service key. Moreover, the server also needs to analyze the license information to determine whether it meets the first preset condition. For example, the server needs to determine whether the license information is valid, whether the license information logically contradicts the first request information, and whether the request content contained in the first request information is consistent with the purpose of the service key, etc. When the above sub-conditions are all If the requirements are met, it can be determined that the license information meets the first preset condition.
  • the server can call the service key to process the data to be processed, and generate a corresponding processing result, thereby further improving the security of using the service key.
  • the server can also send the processing result to the first client, thereby meeting the usage requirements of the user of the service key.
  • the specific content of the first preset condition and the second preset condition can be set according to actual usage requirements.
  • the first preset condition can be set according to the specific content of the service key and the server-side pairing of the service key. the degree of confidentiality to be set.
  • the second preset condition may be adjusted according to the change of the appearance of the requested user, for example, the adjustment may be made according to the change of the fatness or thinness of the facial features of the requested user.
  • the method further includes an operation of generating the service key, including:
  • Acquire second request information sent by a second client wherein the second request information includes user information and/or client key information in the second client, wherein the client key information includes all the public key of the personal key and/or the identity of the personal key in the second client;
  • Binding the user information and/or client key information with the generated service key Binding the user information and/or client key information with the generated service key.
  • the second client may be a client corresponding to the owner of the service key, and the second client may generate all its service keys at the server.
  • the owner of the company can be the owner of the service key, so it can generate the service key it owns on the server through the second client.
  • the generating operation includes: the second client sends second request information to the server, where the second request information includes information about the authorization intention of the owner of the service key, and also includes user information of the second client corresponding to the owner and/or or client key information.
  • the client key information includes the public key of the personal key of the second client and/or the identification of the personal key, such as the personal key ID, according to the user information associated with the owner, the public key of the personal key and/or The identity of the personal key, and the corresponding business key can be generated according to the owner's authorization intent.
  • the user information and/or client key information can be bound with the generated service key, for example, the service key, user information, and client information are packaged into data packets, and the data packets are calculated to make them Has a key check code, which can be a digital signature, HMAC, CMAC, etc.
  • the service key can be associated with its owner's information.
  • the owner of the service key can also be the user of the service key
  • the second client also needs to send the service key to the server.
  • the first request information is to request the server to call the service key to process the preprocessed data.
  • the second client corresponding to the owner of the service key is equivalent to the first client.
  • the method further includes an operation of obtaining the service key, including:
  • client key information includes the public key of the personal key in the second client and/or or the identification of a personal key
  • the manner in which the server obtains the service key is not limited to its own generation, and can also be obtained in other manners.
  • the service key can be imported by an external device (such as a mobile phone shield or a device of other business organization), and the import method can be that the external device is directly connected to the server, so as to implement the import operation, so that the server can obtain the key. and store.
  • the external device sends the service key to the second client, that is, the client corresponding to the owner of the service key, and the second client sends the service key to the server, so that the server can obtain and store the service key. .
  • the second client sends user information and/or client key information associated with the owner to the server, wherein the client key information includes the public key of the personal key in the second client and/or the client key information. / or the identification of the personal key, such as the personal key ID.
  • the second client sends the service key and user information and/or client key information, it may send them separately, or may simultaneously send the service key, user information and/or client key information
  • the key information is sent to the server, and the sending method is not limited here.
  • the server After the server receives the user information and/or client key information, it can bind the user information and/or client key information with the obtained business key, and can associate the business key with the owner's information. link.
  • the method further includes receiving license information that is signed by the second client and sent by the second client, wherein the license information further includes licensee information and/or the licensee personally key information.
  • the license signature is a personal key signature of the second client corresponding to the owner of the service key.
  • the license information includes licensee information and/or licensee personal key information. Therefore, when the server obtains the license information, it can analyze the licensee information and/or the licensee's personal key information in the license information, and then judge whether the license information is suitable for the first request information sent by the first client. For example, if the user information of the user contained in the first request information is consistent with the authorized person information in the license information, the corresponding license information can be obtained.
  • the method further includes receiving the data to be processed sent by the first client, wherein the data to be processed is signed based on a personal key.
  • the data to be processed in this implementation may be that the first client sends the data to be processed to the server while sending the first request information to the server, and the data to be processed may be the data to be processed by the first client. It is signed by the personal key related to the user, so as to ensure that the data to be processed is not modified in the process of transmission to the server, which increases the security of the data to be processed.
  • the method further includes the following steps:
  • the encrypted processing result is sent to the first client, so that the first client decrypts the processing result through the private key of the personal key.
  • the server obtains a corresponding processing result after processing the data to be processed by using the service key, and the server can feed back the processing result to the first client, so as to meet the usage requirements of the user of the service key.
  • the server can encrypt the processing result, thereby ensuring the security of the processing result during transmission.
  • the server uses the personal public key corresponding to the first client to encrypt the processing result.
  • the first client can decrypt it using the personal private key corresponding to the first client to obtain the specific processing result. data.
  • the embodiment of the present application also provides a method for processing information of a service key, which is applied to the first client. As shown in FIG. 4 , the method includes the following steps:
  • S4 Send the first request information to the server, so that the server obtains the license information corresponding to the service key based on the first request information, wherein the first request information is used to request the server to use the stored data the service key to process the data to be processed; the first request information includes at least one of the following: user information, personal key information and service key identification in the first client; the license information includes at least one License terms for the service key.
  • the server can be connected to one or more clients, and the user of the service key or the owner of the service key has corresponding clients.
  • the owner of the service key can also be the user of the service key, which is not limited here.
  • the first client may be the client corresponding to the user of the service key.
  • the first client sends first request information to the server, so as to request the server to process the data to be processed by using the kept service key.
  • the first request information includes at least one of the following: user information, personal key information and service key identification in the first client.
  • the user information can be the relevant information of the user of the service key;
  • the personal key information can be the personal key possessed by the user, such as the public key of the personal key and/or the ID of the personal key, etc.;
  • the key identifier may be information related to the service key requested by the user, such as the ID of the requested service key.
  • the first client sends the first request information to the server, and the server can obtain the license information corresponding to the service key according to at least one characteristic information included in the first request information.
  • the corresponding license information is acquired according to the user's user information, personal key information, and service key identifier.
  • the license information may be pre-stored by the server or acquired by the server from the client.
  • the license information includes at least one license term for using the service key.
  • the license terms can be specific to what is licensed by the owner of the service key. Of course, if the same service key corresponds to different first clients, the license terms may not be the same. This enables the service key to have different usage modes for different users, and the usage modes are flexible.
  • the license terms characterize how the service key is used. For example, the validity time of the license, the expiration time of the license, the number of times of use of the license, and the usage information, etc., so as to ensure that the user can use the service key while also ensuring that the service key cannot be illegally used.
  • S5 Receive a processing result sent by the server, wherein the processing result is that the server calls the service key to the pending processing when determining that the license information meets the first preset condition. The result of data processing.
  • the server needs to analyze and judge the license information to ensure that the license information is valid and the license information also needs to be adapted to the functions of the user and the service key expressed by the first request information.
  • the license information needs to be analyzed and judged to determine that the license information complies with the first preset condition. If the license information meets the first preset condition, the server can call the service key to process the data to be processed, and generate the corresponding The processing result is processed, and the server can also send the processing result to the first client, thereby meeting the usage requirements of the user of the service key.
  • the specific content of the first preset condition may be set according to actual usage requirements, for example, it may be set according to the specific content of the service key and the degree of confidentiality of the service key by the server.
  • the embodiment of the present application also provides a server, and the server may be a server or other electronic device with functions similar to the server, as shown in FIG. 5 , including:
  • a first obtaining module configured to: obtain first request information sent by a first client, wherein the first request information is used to request the server to use the stored service key to process data to be processed, and the first request
  • the information includes at least one of the following: user information, personal key information and service key identification in the first client.
  • a second obtaining module configured to: obtain license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
  • a processing module which is configured to: in the case of determining that the license information meets the first preset condition, call the service key to process the data to be processed, and generate a corresponding processing result.
  • the server can be connected to one or more clients, and the user of the service key or the owner of the service key has corresponding clients.
  • the owner of the service key can also be the user of the service key, which is not limited here.
  • the first client may be the client corresponding to the user of the service key.
  • the first client sends the first request information to the server, and the first obtaining module obtains the first request information sent by the first client.
  • the first request information is that the first client requests the server to use the kept service key to process the data to be processed.
  • the first request information includes at least one of the following: user information, personal key information and service key identification in the first client.
  • the user information can be the relevant information of the user of the service key;
  • the personal key information can be the personal key possessed by the user, such as the public key of the personal key and/or the ID of the personal key, etc.;
  • the key identifier may be information related to the service key requested by the user, such as the ID of the requested service key.
  • the second obtaining module can obtain the license information corresponding to the service key according to at least one feature information included in the first request information.
  • the corresponding license information is acquired according to the user's user information, personal key information, and service key identifier.
  • the license information may be pre-stored by the server or acquired by the server from the client.
  • the license information includes at least one license term for using the service key.
  • the license terms can be specific to what is licensed by the owner of the service key. Of course, if the same service key corresponds to different first clients, the license terms may not be the same. This enables the service key to have different usage modes for different users, and the usage modes are flexible.
  • the license terms characterize how the service key is used. For example, the validity time of the license, the expiration time of the license, the number of times of use of the license, and the usage information, etc., so as to ensure that the user can use the service key while also ensuring that the service key cannot be illegally used.
  • the processing module needs to analyze and judge the license information to ensure that the license information is valid and the license information also needs to be adapted to the functions of the user and the service key expressed by the first request information.
  • the processing module needs to analyze and judge the license information to determine that the license information complies with the first preset condition. If the license information meets the first preset condition, the server can call the service key to process the data to be processed and generate Corresponding processing results, and the server can also send the processing results to the first client, thereby meeting the usage requirements of users of the service key.
  • the specific content of the first preset condition can be set according to actual use requirements, for example, it can be set according to the specific content of the service key and the degree of confidentiality of the service key by the server.
  • the processing module is further configured to:
  • the license signature is valid
  • the license information is valid, wherein the first preset condition includes a condition that the license information is valid.
  • the processing module is further configured to:
  • the first preset condition includes a condition that the first use information is consistent with the second use information.
  • the second obtaining module is further configured to:
  • the server further includes a generation module, and the generation module is configured as:
  • Acquire second request information sent by a second client wherein the second request information includes user information and/or client key information in the second client, wherein the client key information includes all the public key of the personal key and/or the identity of the personal key in the second client;
  • Binding the user information and/or client key information with the generated service key Binding the user information and/or client key information with the generated service key.
  • the server further includes a generation module, and the generation module is configured as:
  • client key information includes the public key of the personal key in the second client and/or or the identification of a personal key
  • the second obtaining module is further configured to:
  • the license information further includes the licensee information and/or the licensee's personal key information.
  • the first acquisition module is further configured to:
  • the data to be processed sent by the first client is received, wherein the data to be processed is signed based on a personal key.
  • the processing module is further configured to:
  • the encrypted processing result is sent to the first client, so that the first client decrypts the processing result through the private key of the personal key.
  • the license terms include at least one of the following: license effective time, license expiration time, license usage times, and usage information.
  • Embodiments of the present application further provide an information processing system, including the above-mentioned server, and at least one of the above-mentioned first clients.
  • the system may also include a second client.
  • the first client may be the client corresponding to the user of the service key
  • the second client may be the client corresponding to the owner of the service key.
  • Embodiments of the present application further provide a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are run on a computer, the following steps are implemented:
  • the first request information is used to request the server to use the stored service key to process the data to be processed, and the first request information includes at least one of the following: User information, personal key information and service key identification in a client;
  • license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
  • the service key is invoked to process the data to be processed, and a corresponding processing result is generated.
  • the server can be connected to one or more clients, and the user of the service key or the owner of the service key has corresponding clients.
  • the owner of the service key can also be the user of the service key, which is not limited here.
  • the first client may be the client corresponding to the user of the service key.
  • the first client sends first request information to the server, so as to request the server to process the data to be processed by using the kept service key.
  • the first request information includes at least one of the following: user information, personal key information and service key identification in the first client.
  • the user information can be the relevant information of the user of the service key;
  • the personal key information can be the personal key possessed by the user, such as the public key of the personal key and/or the ID of the personal key, etc.;
  • the key identifier may be information related to the service key requested by the user, such as the ID of the requested service key.
  • the server can obtain the license information corresponding to the service key according to at least one feature information included in the first request information.
  • the corresponding license information is obtained according to the user's user information, personal key information and service key identifier.
  • the license information can be pre-stored by the server or obtained by the server from the client.
  • the license information includes at least one license term for using the service key.
  • the license terms can be specific to what is licensed by the owner of the service key. Of course, if the same service key corresponds to different first clients, the license terms may not be the same. This enables the service key to have different usage modes for different users, and the usage modes are flexible.
  • the license terms characterize how the service key is used. For example, the validity time of the license, the expiration time of the license, the number of times of use of the license, and the usage information, etc., so as to ensure that the user can use the service key while also ensuring that the service key cannot be illegally used.
  • the server needs to analyze and judge the license information to ensure that the license information is valid and the license information also needs to be adapted to the functions of the user and the service key expressed by the first request information.
  • the license information needs to be analyzed and judged to determine that the license information complies with the first preset condition. If the license information meets the first preset condition, the server can call the service key to process the data to be processed, and generate the corresponding The processing result is processed, and the server can also send the processing result to the first client, thereby meeting the usage requirements of the user of the service key.
  • the specific content of the first preset condition may be set according to actual usage requirements, for example, it may be set according to the specific content of the service key and the degree of confidentiality of the service key by the server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Disclosed are an information processing method for a service key, and a serving end and a system. The method is applied to a serving end, and comprises: acquiring first request information sent by a first client, wherein the first request information is used for requesting a serving end to process, by using a stored service key, data to be processed, and the first request information comprises at least one of the following: user information, personal key information and a service key identifier which are in the first client; on the basis of the first request information, acquiring license information corresponding to the service key, wherein the license information comprises at least one license article for using the service key; and when it is determined that the license information meets a first preset condition, calling the service key to process said data, so as to generate a corresponding processing result. By means of the method, a service key can be effectively prevented from being divulged or being illegitimately used, such that the security of the service key is also ensured while a user can flexibly use the service key.

Description

业务密钥的信息处理方法、服务端及系统Information processing method, server and system for business key
本申请要求于2020年12月09日向中国专利局提交的名称为“业务密钥的信息处理方法、服务端及系统”,申请号为2020114491288的发明专利申请,以及于2020年12月30日向中国专利局提交的名称为“业务密钥的信息处理方法、加密机及信息处理系统”,申请号为2020116104576的发明专利申请,以及于2020年12月18日向中国专利局提交的名称为“基于生物特征的业务密钥管理方法、服务端及系统”,申请号为2020115114566的发明专利申请的优先权权益,在此以引用方式并入本文中。This application requires an invention patent application titled "Information Processing Method, Server and System for Business Keys" with application number 2020114491288 submitted to the China Patent Office on December 09, 2020, and an invention patent application submitted to China on December 30, 2020 The Patent Office submitted an invention patent application titled "Business Key Information Processing Method, Encryption Machine and Information Processing System" with application number 2020116104576, and an invention patent application submitted to the China Patent Office on December 18, 2020 with the title "Biological-based Featured Service Key Management Method, Server, and System", the priority right of the patent application for invention with application number 2020115114566, which is incorporated herein by reference.
技术领域technical field
本申请涉及信息安全领域,特别涉及一种业务密钥的信息处理方法、服务端及系统。The present application relates to the field of information security, and in particular, to an information processing method, server and system for a business key.
背景技术Background technique
在信息安全领域中,用户需要使用业务密钥,来对目标任务处理,如使用业务密钥实施数字签名或者数据解密等工作。但是目前来说,该业务密钥一旦被发送给具体处理人后,该业务密钥的使用情况便不能被有效控制。例如,处理人有时需要代表公司处理业务,这时需要获取到相应的业务密钥。给予处理人该业务密钥后公司并不能再对其有效控制,这包括:在处理业务期间处理人还可以不受限制的使用原本权限属于公司的业务密钥,以及处理人在完成业务后公司也无法收回该业务密钥。因此,该使用业务密钥的方式会产生极大的安全隐患。In the field of information security, users need to use business keys to process target tasks, such as digital signatures or data decryption using business keys. But at present, once the service key is sent to a specific handler, the usage of the service key cannot be effectively controlled. For example, the processor sometimes needs to handle business on behalf of the company, and in this case, the corresponding business key needs to be obtained. After the processor is given the business key, the company can no longer effectively control it. This includes: during the processing of the business, the processor can also use the business key that originally belonged to the company without restrictions, and after the processor completes the business, the company The service key cannot be recovered either. Therefore, this way of using the service key will cause great security risks.
发明内容SUMMARY OF THE INVENTION
本申请实施例的目的在于提供一种业务密钥的信息处理方法、服务端及系统,该方法能够有效防止业务密钥被泄露或被非法使用,使得使用者可以灵活的使用该业务密钥的同时,也保证了业务密钥的安全性。The purpose of the embodiments of the present application is to provide a service key information processing method, server and system, which can effectively prevent the service key from being leaked or illegally used, so that users can flexibly use the service key At the same time, the security of the business key is also guaranteed.
为了解决上述技术问题,本申请的实施例采用了如下技术方案:一种业务密钥的信息处理方法,应用于服务端,包括:In order to solve the above technical problems, the embodiments of the present application adopt the following technical solutions: an information processing method for a service key, applied to a server, including:
获取第一客户端发送的第一请求信息,其中,所述第一请求信息用于请求服务端使用存储的业务密钥处理待处理数据,所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识;Obtain the first request information sent by the first client, where the first request information is used to request the server to use the stored service key to process the data to be processed, and the first request information includes at least one of the following: User information, personal key information and service key identification in a client;
基于所述第一请求信息获取所述业务密钥对应的许可信息,其中,所述许可信息包括至少一个针对使用所述业务密钥的许可条款;Obtain license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,生成相应的处理结果。When it is determined that the license information meets the first preset condition, the service key is invoked to process the data to be processed, and a corresponding processing result is generated.
作为可选,所述的在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,包括:As an option, when it is determined that the license information meets the first preset condition, invoking the service key to process the data to be processed includes:
获取所述许可信息的许可签名;obtain a license signature of the license information;
在所述许可签名有效的情况下,基于所述许可签名,确定所述许可信息是否有效,其中所述第一预设条件包括所述许可信息有效的条件。In the case that the license signature is valid, based on the license signature, it is determined whether the license information is valid, wherein the first preset condition includes a condition that the license information is valid.
作为可选,所述的在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,包括:As an option, when it is determined that the license information meets the first preset condition, invoking the service key to process the data to be processed includes:
获取所述许可条款中使用所述业务密钥的第一用途信息,获取所述第一请求信息中使用所述业务密钥的第二用途信息;acquiring first usage information of the service key in the license clause, and acquiring second usage information of the service key in the first request information;
确定所述第一用途信息是否与所述第二用途信息相一致,其中,所述第一预设条件包括所述第一用途信息与所述第二用途信息相一致的条件。It is determined whether the first use information is consistent with the second use information, wherein the first preset condition includes a condition that the first use information is consistent with the second use information.
作为可选,所述调用所述业务密钥对所述待处理数据处理,包括:As an option, the invoking the service key to process the data to be processed includes:
利用特定密钥解密所述业务密钥;decrypt the service key with a specific key;
调用加密机使用所述业务密钥处理所述待处理数据,生成相应的处理结果。The encryption machine is called to process the data to be processed by using the service key, and a corresponding processing result is generated.
作为可选,所述的基于所述第一请求信息获取所述业务密钥对应的许可信息,具体包括:Optionally, the obtaining the license information corresponding to the service key based on the first request information specifically includes:
基于所述第一客户端中的用户信息、个人密钥信息和业务密钥标识其中至少一个获取所述业务密钥对应的许可信息。Obtain license information corresponding to the service key based on at least one of user information, personal key information and service key identification in the first client.
作为可选,所述第一请求信息还包括所述业务密钥的请求使用者的第一生物特征;所述方法还包括:Optionally, the first request information further includes the first biometric feature of the user who requests the service key; the method further includes:
分别对所述许可信息和所述第一生物特征分析,确定所述许可信息是否符合所述第一预设条件,以及所述第一生物特征是否符合第二预设条件;Analyzing the permission information and the first biometric feature respectively, to determine whether the permission information meets the first preset condition, and whether the first biometric feature meets the second preset condition;
相应的,所述在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,包括:Correspondingly, when it is determined that the license information meets the first preset condition, invoking the service key to process the data to be processed includes:
在确定所述许可信息符合第一预设条件,以及所述第一生物特征符合第二预设条件的情况下,调用所述业务密钥对所述待处理数据处理。When it is determined that the license information meets the first preset condition and the first biometric feature meets the second preset condition, the service key is invoked to process the data to be processed.
作为可选,所述方法还包括获取所述业务密钥的操作,其中包括:Optionally, the method further includes an operation of obtaining the service key, including:
获取第二客户端发送的第二请求信息,其中所述第二请求信息包括所述第二客户端中的用户信息和/或客户端密钥信息,其中,所述客户端密钥信息包括所述第二客户端中的个人密钥的公钥和/或个人密钥的标识;Acquire second request information sent by a second client, wherein the second request information includes user information and/or client key information in the second client, wherein the client key information includes all the public key of the personal key and/or the identity of the personal key in the second client;
基于所述第二请求信息生成相应的业务密钥;generating a corresponding service key based on the second request information;
将所述用户信息和/或客户端密钥信息与生成的所述业务密钥绑定。Binding the user information and/or client key information with the generated service key.
作为可选,所述方法还包括获取所述业务密钥的操作,其中包括:Optionally, the method further includes an operation of obtaining the service key, including:
接收外部设备直接导入或通过第二客户端导入的所述业务密钥;receiving the service key directly imported by an external device or imported through a second client;
获取第二客户端发送的第二客户端中的用户信息和/或客户端密钥信息,其中,所述客户端密钥信息包括所述第二客户端中的个人密钥的公钥和/或个人密钥的标识;Obtain user information and/or client key information in the second client sent by the second client, wherein the client key information includes the public key of the personal key in the second client and/or or the identification of a personal key;
将所述用户信息和/或客户端密钥信息与获取到的所述业务密钥绑定。Bind the user information and/or client key information with the acquired service key.
作为可选,所述方法还包括接收所述第二客户端发送的经过了许可签名的许可信息,其中,所述许可信息还包括被授权人信息和/或被授权人个人密钥信息。Optionally, the method further includes receiving license information sent by the second client and signed by the license, wherein the license information further includes licensee information and/or licensee personal key information.
作为可选,所述方法还包括接收所述第一客户端发送的所述待处理数据,其中,所述待处理数据被基于个人密钥对其实施了签名。Optionally, the method further includes receiving the data to be processed sent by the first client, wherein the data to be processed is signed based on a personal key.
作为可选,所述方法还包括:Optionally, the method further includes:
基于个人密钥的公钥对所述处理结果加密;encrypting the processing result based on the public key of the personal key;
将加密后的所述处理结果发送给所述第一客户端,以使所述第一客户端通过个人密钥的私钥对所述处理结果解密。The encrypted processing result is sent to the first client, so that the first client decrypts the processing result through the private key of the personal key.
作为可选,其中,所述许可条款包括以下至少一个:许可生效时间、许可过期时间、许可使用次数以及用途信息。Optionally, the license terms include at least one of the following: license effective time, license expiration time, license usage times, and usage information.
本申请实施例还提供了一种业务密钥的信息处理方法,应用于第一客户端,包括:The embodiment of the present application also provides a method for processing information of a service key, which is applied to the first client and includes:
向服务端发送第一请求信息,以使所述服务端基于所述第一请求信息获取业务密钥对应的许可信息,其中,所述第一请求信息用于请求服务端使用存储的所述业务密钥处理待处理数据;所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识;所述许可信息包括至少一个针对使用所述业务密钥的许可条款;Send the first request information to the server, so that the server obtains the license information corresponding to the service key based on the first request information, wherein the first request information is used to request the server to use the stored service key processing data to be processed; the first request information includes at least one of the following: user information, personal key information and service key identification in the first client; the license information includes at least one License terms for Business Keys;
接收所述服务端发送的处理结果,其中,所述处理结果为所述服务端在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理生成的结果。Receive the processing result sent by the server, wherein the processing result is that the server calls the service key to process the data to be processed when it is determined that the license information meets the first preset condition generated result.
本申请实施例还提供了一种服务端,包括:The embodiment of the present application also provides a server, including:
第一获取模块,其配置为:获取第一客户端发送的第一请求信息,其中,所述第一请求信息用于请求服务端使用存储的业务密钥处理待处理数据,所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识;a first obtaining module, configured to: obtain first request information sent by a first client, wherein the first request information is used to request the server to use the stored service key to process data to be processed, and the first request The information includes at least one of the following: user information, personal key information and service key identification in the first client;
第二获取模块,其配置为:基于所述第一请求信息获取所述业务密钥对应的许可信息,其中,所述许可信息包括至少一个针对使用所述业务密钥的许可条款;A second obtaining module, configured to: obtain license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
处理模块,其配置为:在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,生成相应的处理结果。A processing module, which is configured to: in the case of determining that the license information meets the first preset condition, call the service key to process the data to be processed, and generate a corresponding processing result.
本申请实施例还提供了一种信息处理系统,包括如上所述的服务端,还包括至少一个如上所述的第一客户端。Embodiments of the present application further provide an information processing system, including the above-mentioned server, and at least one of the above-mentioned first clients.
本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当所述指令在计算机上运行时,实现如下步骤:Embodiments of the present application further provide a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are run on a computer, the following steps are implemented:
获取第一客户端发送的第一请求信息,其中,所述第一请求信息用于请求服务端使用存储的业务密钥处理待处理数据,所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识;Obtain the first request information sent by the first client, where the first request information is used to request the server to use the stored service key to process the data to be processed, and the first request information includes at least one of the following: User information, personal key information and service key identification in a client;
基于所述第一请求信息获取所述业务密钥对应的许可信息,其中,所述许可信息包括至少一个针对使用所述业务密钥的许可条款;Obtain license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,生成相应的处理结果。When it is determined that the license information meets the first preset condition, the service key is invoked to process the data to be processed, and a corresponding processing result is generated.
本申请实施例的有益效果在于:该信息处理方法中,服务端可以对业务密钥托管,防止业务密钥被泄露或被非法使用。使用时,可以对使用者对应的客户端发送的请求信息实施分析和判断,以确定该请求信息是否符合业务密钥所有者所设定的许可条款,从而使得使用者可以灵活的使用该业务密钥的同时,也保证了业务密钥的安全性。The beneficial effect of the embodiments of the present application is that in the information processing method, the server can escrow the service key to prevent the service key from being leaked or illegally used. When in use, the request information sent by the client corresponding to the user can be analyzed and judged to determine whether the request information conforms to the license terms set by the service key owner, so that the user can flexibly use the service key. At the same time, the security of the business key is also guaranteed.
附图说明Description of drawings
图1为本申请实施例的业务密钥的信息处理方法应用于服务端的流程图;FIG. 1 is a flowchart of a service key information processing method according to an embodiment of the application applied to a server;
图2为本申请实施例的图1中步骤S3的一个实施例的流程图;FIG. 2 is a flowchart of an embodiment of step S3 in FIG. 1 according to an embodiment of the application;
图3为本申请实施例的图1中步骤S3的另一个实施例的流程图;3 is a flowchart of another embodiment of step S3 in FIG. 1 according to an embodiment of the application;
图4为本申请实施例的业务密钥的信息处理方法应用于第一客户端的流程图;FIG. 4 is a flowchart of the application of the method for processing service key information according to an embodiment of the present application to a first client;
图5为本申请实施例的服务端的结构框图。FIG. 5 is a structural block diagram of a server according to an embodiment of the present application.
具体实施方式Detailed ways
此处参考附图描述本申请的各种方案以及特征。Various aspects and features of the present application are described herein with reference to the accompanying drawings.
应理解的是,可以对此处申请的实施例做出各种修改。因此,上述说明书不应该视为限制,而仅是作为实施例的范例。本领域的技术人员将想到在本申请的范围和精神内的其他修改。It should be understood that various modifications may be made to the embodiments claimed herein. Therefore, the above description should not be regarded as limiting, but merely as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of this application.
包含在说明书中并构成说明书的一部分的附图示出了本申请的实施例,并且与上面给出的对本申请的大致描述以及下面给出的对实施例的详细描述一起用于解释本申请的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the present application and, together with the general description of the application given above and the detailed description of the embodiments given below, serve to explain the advantages of the present application. principle.
通过下面参照附图对给定为非限制性实例的实施例的优选形式的描述,本申请的这些和其它特性将会变得显而易见。These and other features of the present application will become apparent from the following description of preferred forms of embodiment, given as non-limiting examples, with reference to the accompanying drawings.
还应当理解,尽管已经参照一些具体实例对本申请实施了描述,但本领域技术人员能够确定地实现本申请的很多其它等效形式。It should also be understood that although the present application has been described with reference to some specific examples, those skilled in the art will be able to ascertain the realization of many other equivalents of the present application.
当结合附图时,鉴于以下详细说明,本申请的上述和其他方面、特征和优势将变得更为显而易见。The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
此后参照附图描述本申请的具体实施例;然而,应当理解,所申请的实施例仅仅是本申请的实例,其可采用多种方式实施。熟知和/或重复的功能和结构并未详细描述以避免不必要或多余的细节使得本申请模糊不清。因此,本文所申请的具体的结构性和功能性细节并非意在限定,而是仅仅作为权利要求的基础和代表性基础用于教导本领域技术人员以实质上任意合适的详细结构多样地使用本申请。Specific embodiments of the present application are hereinafter described with reference to the accompanying drawings; however, it is to be understood that the claimed embodiments are merely examples of the present application, which may be implemented in various ways. Well-known and/or repeated functions and constructions have not been described in detail to avoid obscuring the application with unnecessary or redundant detail. Therefore, specific structural and functional details claimed herein are not intended to be limiting, but merely serve as a basis for the claims and a representative basis for teaching one skilled in the art to variously employ the present invention in substantially any suitable detailed structure. Application.
本说明书可使用词组“在一种实施例中”、“在另一个实施例中”、“在又一实施例中”或“在其他实施例中”,其均可指代根据本申请的相同或不同实施例中的一个或多个。This specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may all refer to the same in accordance with the present application or one or more of different embodiments.
本申请实施例的一种业务密钥的信息处理方法,应用于服务端,该服务端可以为服务器或者其他具有与服务器相似功能的电子设备,该方法能够利用服务端对业务密钥托管。该服务端可以与至少一个客户端连接,并实施数据交互。本实施例中,第一客户端发送第一请求信息给服务端,第一请求信息用于请求服务端使用存储的业务密钥处理待处理数据。该业务密钥存储在服务端上以便随时调用,需要说明的是,本申请的该业务密钥并不会交给客户端而是由服务端保管,以保证业务密钥的安全性。当然该业务密钥也可以是具有权限的第一客户端或其他客户端(如业务密钥的拥有者所在的客户端)预先发送给服务端等,使得该业务密钥在使用时均是存储在服务端上以便使用。服务端接收到该第一请求信息后,可以基于第一请求信息获取业务密钥对应的许可信息,包括基于第一请求信息中的使用业务密钥的使用者的用户信息、个人密钥信息和/或业务密钥标识来获取许可信息。该许可信息被使用时服务端可以启动获取动作,此时该许可信息 可以由客户端提供给服务端,也可以由服务端即时从存储器中获取。服务端在许可信息和/或业务密钥符合第一预设条件的情况下,如许可信息有效,许可信息与第一请求信息逻辑上并不抵触,以及第一请求信息所表征的内容与业务密钥的用途相一致等,则调用业务密钥对待处理数据处理,并得到处理结果。An information processing method for a service key according to an embodiment of the present application is applied to a server, where the server may be a server or other electronic device with functions similar to the server, and the method can use the server to escrow the service key. The server can connect with at least one client and implement data interaction. In this embodiment, the first client sends first request information to the server, where the first request information is used to request the server to process the data to be processed by using the stored service key. The service key is stored on the server so that it can be called at any time. It should be noted that the service key of this application is not handed over to the client but is kept by the server to ensure the security of the service key. Of course, the service key can also be sent to the server in advance by the first client with authority or other clients (such as the client where the owner of the service key is located), so that the service key is stored when used. on the server for use. After receiving the first request information, the server can obtain the license information corresponding to the service key based on the first request information, including the user information, personal key information and / or service key identification to obtain license information. When the license information is used, the server can start the acquisition action. At this time, the license information can be provided by the client to the server, and the server can also obtain it from the storage in real time. In the case where the license information and/or the service key meet the first preset condition, if the license information is valid, the license information and the first request information do not logically contradict, and the content and service represented by the first request information If the purpose of the key is the same, the business key is called to process the data to be processed, and the processing result is obtained.
该信息处理方法中,服务端可以对业务密钥托管,防止业务密钥被泄露或被非法使用。使用时,服务端可以对使用者对应的客户端发送的请求信息分析和判断,以确定该请求信息是否符合业务密钥所有者所设定的许可条款,从而使得使用者可以灵活的使用该业务密钥的同时,也保证了业务密钥的安全性。In the information processing method, the server can escrow the service key to prevent the service key from being leaked or illegally used. When in use, the server can analyze and judge the request information sent by the client corresponding to the user to determine whether the request information conforms to the license terms set by the service key owner, so that the user can use the service flexibly At the same time, the security of the business key is also guaranteed.
为了更好的理解上述技术方案,下面通过附图以及具体实施例对本发明技术方案做详细的说明,应当理解本申请实施例以及实施例中的具体特征是对本发明技术方案的详细的说明,而不是对本发明技术方案的限定,在不冲突的情况下,本申请实施例以及实施例中的技术特征可以相互结合。In order to better understand the above technical solutions, the technical solutions of the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments. It is not intended to limit the technical solutions of the present invention, and the embodiments of the present application and the technical features in the embodiments may be combined with each other without conflict.
图1为本申请实施例的业务密钥的信息处理方法应用于服务端的流程图。本申请实施例的信息处理方法,可以应用于服务端,包括服务器或其他具有服务功能的电子设备,如图1所示,该方法包括以下步骤:FIG. 1 is a flowchart of a service key information processing method according to an embodiment of the present application applied to a server. The information processing method of the embodiment of the present application can be applied to a server, including a server or other electronic equipment with a service function. As shown in FIG. 1 , the method includes the following steps:
S1,获取第一客户端发送的第一请求信息,其中,所述第一请求信息用于请求服务端使用存储的业务密钥处理待处理数据,所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识。S1: Acquire first request information sent by a first client, where the first request information is used to request the server to use the stored service key to process data to be processed, and the first request information includes at least one of the following: User information, personal key information and service key identifier in the first client.
服务端可以与一个或多个客户端连接,业务密钥的使用者或业务密钥的所有者均对应有相应的客户端。当然,业务密钥的所有者也同时可以为业务密钥的使用者,在此不作限定。本实施中,第一客户端可以是业务密钥的使用者所对应的客户端。第一客户端向服务端发送第一请求信息,以请求服务端使用保管的业务密钥来处理待处理数据。第一请求信息包括以下至少一个:第一客户端中的用户信息、个人密钥信息和业务密钥标识。其中,该用户信息可以是业务密钥的使用者的相关信息;个人密钥信息可以是使用者具有的个人密钥,如个人密钥的公钥和/或个人密钥的ID等;而业务密钥标识则可以是使用者提供的与其所请求的业务密钥的相关信息,如所请求使用的业务密钥的ID。The server can be connected with one or more clients, and the user of the service key or the owner of the service key has corresponding clients. Of course, the owner of the service key can also be the user of the service key, which is not limited here. In this implementation, the first client may be the client corresponding to the user of the service key. The first client sends first request information to the server, so as to request the server to process the data to be processed by using the kept service key. The first request information includes at least one of the following: user information, personal key information and service key identification in the first client. Wherein, the user information can be the relevant information of the user of the service key; the personal key information can be the personal key possessed by the user, such as the public key of the personal key and/or the ID of the personal key, etc.; The key identifier may be information related to the service key requested by the user, such as the ID of the requested service key.
S2,基于所述第一请求信息获取所述业务密钥对应的许可信息,其中,所述许可信息包括至少一个针对使用所述业务密钥的许可条款。S2: Acquire license information corresponding to the service key based on the first request information, where the license information includes at least one license clause for using the service key.
服务端接收到第一请求信息,便可以根据第一请求信息中包含的至少一个特征信息来获取业务密钥对应的许可信息。例如根据使用者的用户信息、个人密钥信息和业务密钥标识来获取相应的许可信息,该许可信息可以是服务端预先存储,也可以是服务端从 客户端获取。许可信息包括至少一个针对使用业务密钥的许可条款。该许可条款可以是业务密钥的所有者所许可的具体内容。当然同一个业务密钥如果对应了不同的第一客户端,则该许可条款可以并不相同。这使得业务密钥对于不同的使用者可以具有不同的使用方式,使用方式灵活。而该许可条款表征了该业务密钥的使用方式。例如许可生效时间、许可过期时间、许可使用次数以及用途信息等,从而在保证使用者使用该业务密钥的同时还确保了业务密钥并不能被非法使用。After receiving the first request information, the server can obtain the license information corresponding to the service key according to at least one feature information included in the first request information. For example, the corresponding license information is obtained according to the user's user information, personal key information and service key identifier. The license information can be pre-stored by the server or obtained by the server from the client. The license information includes at least one license term for using the service key. The license terms can be specific to what is licensed by the owner of the service key. Of course, if the same service key corresponds to different first clients, the license terms may not be the same. This enables the service key to have different usage modes for different users, and the usage modes are flexible. The license terms characterize how the service key is used. For example, the validity time of the license, the expiration time of the license, the number of times of use of the license, and the usage information, etc., so as to ensure that the user can use the service key while also ensuring that the service key cannot be illegally used.
S3,在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,生成相应的处理结果。S3: In the case that it is determined that the license information meets the first preset condition, the service key is invoked to process the data to be processed, and a corresponding processing result is generated.
服务端需要对许可信息分析判断,以确保许可信息有效而且许可信息也需要与第一请求信息所表达的用户以及业务密钥的功能相适配。本实施例中需要对许可信息分析和判断,以确定该许可信息符合第一预设条件,在其符合第一预设条件的情况下服务端可以调用业务密钥对待处理数据处理,生成相应的处理结果,而服务端也可以将该处理结果发送给第一客户端,从而满足了业务密钥的使用者的使用需求。此外,对于第一预设条件的具体内容,可以根据实际使用需求来设定,例如可以根据业务密钥的具体内容,以及服务端对业务密钥的保密程度来设定。The server needs to analyze and judge the license information to ensure that the license information is valid and the license information also needs to be adapted to the functions of the user and the service key expressed by the first request information. In this embodiment, the license information needs to be analyzed and judged to determine that the license information complies with the first preset condition. If the license information meets the first preset condition, the server can call the service key to process the data to be processed, and generate a corresponding The processing result is processed, and the server can also send the processing result to the first client, thereby meeting the usage requirements of the user of the service key. In addition, the specific content of the first preset condition may be set according to actual usage requirements, for example, it may be set according to the specific content of the service key and the degree of confidentiality of the service key by the server.
在本申请的一个实施例中,所述的在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,如图2所示,包括以下步骤:In an embodiment of the present application, when it is determined that the license information meets the first preset condition, the service key is invoked to process the data to be processed, as shown in FIG. 2 , including the following: step:
S31,获取所述许可信息的许可签名;S31, obtain the permission signature of the permission information;
S32,在所述许可签名有效的情况下,基于所述许可签名,确定所述许可信息是否有效,其中所述第一预设条件包括所述许可信息有效的条件。S32. In the case that the license signature is valid, determine whether the license information is valid based on the license signature, wherein the first preset condition includes a condition that the license information is valid.
具体的,许可签名可以是业务密钥的所有者具有的签名,从而保证了业务密钥的所有者同意许可该业务密钥,也保证了该许可信息的合法性和有效性。在具有的验证该许可签名是否有效时可以基于业务密钥的所有者的公钥来验证该签名是否有效。而该所有者的公钥可以由所有者对应的第二客户端所提供。如果许可签名有效,则可以基于该许可签名来验证许可信息是否有效。第一预设条件包括了许可信息有效的条件,即许可信息有效可以是许可信息符合第一预设条件的前提。当然该第一预设条件还可以包括其他条件。Specifically, the license signature may be a signature possessed by the owner of the service key, thereby ensuring that the owner of the service key agrees to license the service key, and also ensuring the legality and validity of the license information. The validity of the signature can be verified based on the public key of the owner of the business key when having the permission to verify that the signature is valid. The owner's public key may be provided by the second client corresponding to the owner. If the license signature is valid, it can be verified whether the license information is valid based on the license signature. The first preset condition includes a condition that the license information is valid, that is, the validity of the license information may be a precondition that the license information meets the first preset condition. Of course, the first preset condition may also include other conditions.
在本申请的一个实施例中,所述的在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,如图3所示,包括以下步骤:In an embodiment of the present application, when it is determined that the license information meets the first preset condition, the service key is invoked to process the data to be processed, as shown in FIG. 3 , including the following: step:
S33,获取所述许可条款中使用所述业务密钥的第一用途信息,获取所述第一请求信息中使用所述业务密钥的第二用途信息;S33, acquiring first usage information of the service key in the license clause, and acquiring second usage information of the service key in the first request information;
S34,确定所述第一用途信息是否与所述第二用途信息相一致,其中,所述第一预设条件包括所述第一用途信息与所述第二用途信息相一致的条件。S34: Determine whether the first usage information is consistent with the second usage information, wherein the first preset condition includes a condition that the first usage information is consistent with the second usage information.
本实施例中,一方面,在确定许可信息符合第一预设条件的情况下,调用业务密钥对待处理数据处理;另一方面,在确定许可信息和/或业务密钥符合第一预设条件的情况下,调用业务密钥对待处理数据处理。从第一方面来说,许可条款中具有使用业务密钥的第一用途信息,第一请求信息中也具有使用该业务密钥的第二用途信息,如加密、签名等用途。第一用途信息与所述第二用途信息相一致则可以是第一预设条件中的一个子条件。即启动调用业务密钥则需要第一用途信息与第二用途信息相一致,如许可条款中许可业务密钥是签名使用,第一请求信息中的请求业务密钥的用途也是签名使用,则可以认为第一用途信息与第二用途信息相一致。对于另一方面来说,业务密钥本身具有第三用途信息,如用途为加密、解密、签名、验签、计算mac等。在第一用途信息、第二用途信息和第三用途信息均一致的情况下,可以认为满足了第一预设条件的子条件。例如,使用者对应的第一客户端发起“签名”请求,服务端检查业务密钥的许可用途是否包含“签名”功能,如果有,则认为是可以做“签名”,否则如果业务密钥没有签名功能,而第一请求信息又请求使用业务密钥签名,则可以认为该情况不能满足第一预设条件。In this embodiment, on the one hand, when it is determined that the license information meets the first preset condition, the service key is invoked to process the data to be processed; on the other hand, when it is determined that the license information and/or the service key meet the first preset condition In the case of conditions, call the business key to process the data to be processed. From the first aspect, the license clause includes first usage information for using the service key, and the first request information also includes second usage information for using the service key, such as encryption, signature and other purposes. If the first usage information is consistent with the second usage information, it may be a sub-condition of the first preset condition. That is to say, the first purpose information and the second purpose information need to be consistent to start calling the service key. If the license service key in the license clause is used for signature, and the purpose of the requested service key in the first request information is also used for signature, you can It is considered that the first usage information and the second usage information match. On the other hand, the service key itself has third purpose information, such as the purpose of encryption, decryption, signature, signature verification, calculation of mac, and so on. When the first usage information, the second usage information, and the third usage information are all consistent, it can be considered that the sub-conditions of the first preset condition are satisfied. For example, the first client corresponding to the user initiates a "signature" request, and the server checks whether the licensed use of the business key includes the "signature" function. signature function, and the first request information also requests to use the service key to sign, it can be considered that the situation cannot satisfy the first preset condition.
在本申请的一个实施例中,所述调用所述业务密钥对所述待处理数据处理,包括以下步骤:In an embodiment of the present application, the invoking of the service key to process the data to be processed includes the following steps:
利用特定密钥解密所述业务密钥;decrypt the service key with a specific key;
调用加密机使用所述业务密钥处理所述待处理数据,生成相应的处理结果。The encryption machine is called to process the data to be processed by using the service key, and a corresponding processing result is generated.
示例性的,一方面,服务端可以使用业务密钥处理待处理数据;另一方面,服务端也可以调用加密机对业务密钥处理待处理数据。Exemplarily, on the one hand, the server can use the service key to process the data to be processed; on the other hand, the server can also call the encryption machine to process the data to be processed on the service key.
其中在使用加密时,加密机可以与服务端连接并能够与服务端进行数据交互,业务密钥可以被加密机加密后存储在服务端中。如利用加密机具有的特定密钥对业务密钥进行加密并计算校验值,然后将业务密钥存储在服务端中,保证了业务密钥的安全性。When encryption is used, the encryption machine can be connected with the server and can exchange data with the server, and the business key can be encrypted by the encryption machine and stored in the server. For example, the service key is encrypted with a specific key possessed by the encryption machine, the check value is calculated, and then the service key is stored in the server, so as to ensure the security of the service key.
许可信息符合第一预设条件的情况下,加密机可以通过服务端调用业务密钥,并利用自身所具有的特定密钥对业务密钥进行解密,例如通过唯一的AES对称密钥来对业务密钥进行加密和/或解密。业务密钥被解密后,加密机使用该业务密钥对待处理数据进行处理,生成相应的处理结果。并将该处理结果发送给服务端。而服务端可以将该处理结果发送给第一客户端,从而满足了业务密钥的使用者的使用需求。此外,对于第一 预设条件的具体内容,可以根据实际使用需求来进行设定,还可以根据业务密钥的具体内容以及对业务密钥的保密程度来设定。When the license information meets the first preset condition, the encryption machine can call the service key through the server, and decrypt the service key with its own specific key, for example, use a unique AES symmetric key to decrypt the service key. key for encryption and/or decryption. After the service key is decrypted, the encryption machine uses the service key to process the data to be processed to generate a corresponding processing result. and send the processing result to the server. The server can send the processing result to the first client, thereby meeting the usage requirements of the user of the service key. In addition, the specific content of the first preset condition can be set according to actual use requirements, and can also be set according to the specific content of the service key and the degree of confidentiality of the service key.
加密机可以使用解密后的业务密钥对待处理数据进行处理,而无需服务端再使用业务密钥对待处理数据进行处理,也节省了服务端的系统资源。加密机将生成的处理结果发送给服务端,而服务端则可以将该处理结果返回给第一客户端,以满足请求使用者的使用业务密钥的需求。The encryption machine can use the decrypted service key to process the data to be processed, without the need for the server to use the service key to process the data to be processed, which also saves system resources of the server. The encryption machine sends the generated processing result to the server, and the server can return the processing result to the first client to meet the request user's requirement of using the service key.
而在加密机将该处理结果发送给服务端时,可以基于请求使用者的个人密钥的公钥对所述处理结果进行加密,从而保证了处理结果在传输过程中的安全性。也使得服务端再将该加密后的处理结果发送给第一客户端的过程中也能够保证其安全性,第一客户端在接收到该处理结果后,可以使用第一客户端对应的个人密钥的私钥对其进行解密,从而获取具体的处理数据。When the encryption machine sends the processing result to the server, the processing result can be encrypted based on the public key of the requesting user's personal key, thereby ensuring the security of the processing result during transmission. It also enables the server to ensure the security of the encrypted processing result when it is sent to the first client. After receiving the processing result, the first client can use the personal key corresponding to the first client. The private key is decrypted to obtain the specific processing data.
在本申请的一个实施例中,所述的基于所述第一请求信息获取所述业务密钥对应的许可信息,具体包括:In an embodiment of the present application, the obtaining the license information corresponding to the service key based on the first request information specifically includes:
基于所述第一客户端中的用户信息、个人密钥信息和业务密钥标识其中至少一个获取所述业务密钥对应的许可信息。Obtain license information corresponding to the service key based on at least one of user information, personal key information and service key identification in the first client.
示例性的,第一客户端可以是请求使用业务密钥的使用者所对应的客户端,而该用户信息可以是业务密钥的使用者的相关信息;个人密钥信息可以是使用者具有的个人密钥,如个人密钥的公钥和/或个人密钥的ID等。服务端可以基于上述的用户信息、个人密钥信息和/或业务密钥标识来获取该许可信息。Exemplarily, the first client may be the client corresponding to the user who requests to use the service key, and the user information may be related information of the user of the service key; the personal key information may be owned by the user. Personal keys, such as the public key of the personal key and/or the ID of the personal key, etc. The server may acquire the license information based on the above-mentioned user information, personal key information and/or service key identifier.
在本申请的一个实施例中,所述第一请求信息还包括所述业务密钥的请求使用者的第一生物特征;所述方法还包括:In an embodiment of the present application, the first request information further includes the first biometric feature of the user who requests the service key; the method further includes:
分别对所述许可信息和所述第一生物特征分析,确定所述许可信息是否符合所述第一预设条件,以及所述第一生物特征是否符合第二预设条件;Analyzing the permission information and the first biometric feature respectively, to determine whether the permission information meets the first preset condition, and whether the first biometric feature meets the second preset condition;
相应的,所述在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,包括:Correspondingly, when it is determined that the license information meets the first preset condition, invoking the service key to process the data to be processed includes:
在确定所述许可信息符合第一预设条件,以及所述第一生物特征符合第二预设条件的情况下,调用所述业务密钥对所述待处理数据处理。When it is determined that the license information meets the first preset condition and the first biometric feature meets the second preset condition, the service key is invoked to process the data to be processed.
示例性的,第一生物特征可以是请求给使用者的面部特征,指纹特征以及虹膜特征等特征中的一个或多个。该第一生物特征能够被用来证明请求使用者的身份。当然该第一请求信息中还包括请求使用者的用户信息、个人密钥信息和/或业务密钥标识。Exemplarily, the first biometric feature may be one or more of the features requested to the user, such as facial features, fingerprint features, and iris features. The first biometric feature can be used to authenticate the identity of the requesting user. Of course, the first request information also includes user information, personal key information and/or service key identification of the requesting user.
第一请求信息包括业务密钥的请求使用者的第一生物特征,该第一生物特征可以是请求给使用者的面部特征,指纹特征以及虹膜特征等特征中的一个或多个。当然该第一请求信息还可以包括以下至少一个:第一客户端中的用户信息、个人密钥信息和业务密钥标识。其中,该用户信息可以是业务密钥的请求使用者的相关信息;个人密钥信息可以是请求使用者具有的个人密钥,如个人密钥的公钥和/或个人密钥的ID等;而业务密钥标识则可以是使用者提供的与其所请求使用的业务密钥的相关信息,如所请求使用的业务密钥的ID。The first request information includes the first biometric feature of the user requesting the service key, and the first biometric feature may be one or more of the features requested for the user, such as facial features, fingerprint features, and iris features. Of course, the first request information may also include at least one of the following: user information, personal key information and service key identifiers in the first client. Wherein, the user information can be the relevant information of the requesting user of the service key; the personal key information can be the personal key possessed by the requesting user, such as the public key of the personal key and/or the ID of the personal key, etc.; The service key identifier may be information related to the service key requested by the user provided by the user, such as the ID of the requested service key.
本实施例中可以分析请求使用者的第一生物特征中的面部特征,指纹特征以及虹膜特征等特征中的一个或多个。确定上述第一生物特征是否符合第二预设条件,例如是否符合业务密钥所有者所要求的生物特征。而且服务端还需要对许可信息进行分析,确定其是否符合第一预设条件。例如,服务端需要确定许可信息是否有效,许可信息与第一请求信息逻辑上是否抵触,以及第一请求信息所具有的请求内容是否与业务密钥的用途相一致等,当上述的子条件均符合要求则可以确定许可信息符合第一预设条件。In this embodiment, one or more of the facial features, fingerprint features, and iris features in the first biometric feature of the requesting user may be analyzed. It is determined whether the above-mentioned first biometric feature meets the second preset condition, for example, whether it meets the biometric feature required by the owner of the service key. Moreover, the server also needs to analyze the license information to determine whether it meets the first preset condition. For example, the server needs to determine whether the license information is valid, whether the license information logically contradicts the first request information, and whether the request content contained in the first request information is consistent with the purpose of the service key, etc. When the above sub-conditions are all If the requirements are met, it can be determined that the license information meets the first preset condition.
如果第一生物特征符合所述第二预设条件,可以确定请求使用者的身份符合业务密钥所有者的要求,进一步保证了业务密钥的安全性。本实施还需要确定许可信息符合所述第一预设条件,服务端才可以调用业务密钥对待处理数据进行处理,生成相应的处理结果,从而进一步提高了业务密钥使用的安全性。生成处理结果后,服务端也可以将该处理结果发送给第一客户端,从而满足了业务密钥的使用者的使用需求。此外,对于第一预设条件和第二预设条件的具体内容,可以根据实际使用需求来进行设定,例如第一预设条件可以根据业务密钥的具体内容,以及服务端对业务密钥的保密程度来设定。第二预设条件则可以根据请求使用者容貌的改变来做出调整,如可以根据请求使用者的面部特征的胖瘦的改变等来做出调整。If the first biometric feature meets the second preset condition, it can be determined that the identity of the requesting user meets the requirements of the owner of the service key, which further ensures the security of the service key. In this implementation, it is also necessary to determine that the license information complies with the first preset condition, before the server can call the service key to process the data to be processed, and generate a corresponding processing result, thereby further improving the security of using the service key. After the processing result is generated, the server can also send the processing result to the first client, thereby meeting the usage requirements of the user of the service key. In addition, the specific content of the first preset condition and the second preset condition can be set according to actual usage requirements. For example, the first preset condition can be set according to the specific content of the service key and the server-side pairing of the service key. the degree of confidentiality to be set. The second preset condition may be adjusted according to the change of the appearance of the requested user, for example, the adjustment may be made according to the change of the fatness or thinness of the facial features of the requested user.
在本申请的一个实施例中,所述方法还包括生成所述业务密钥的操作,其中包括:In an embodiment of the present application, the method further includes an operation of generating the service key, including:
获取第二客户端发送的第二请求信息,其中所述第二请求信息包括所述第二客户端中的用户信息和/或客户端密钥信息,其中,所述客户端密钥信息包括所述第二客户端中的个人密钥的公钥和/或个人密钥的标识;Acquire second request information sent by a second client, wherein the second request information includes user information and/or client key information in the second client, wherein the client key information includes all the public key of the personal key and/or the identity of the personal key in the second client;
基于所述第二请求信息生成相应的业务密钥;generating a corresponding service key based on the second request information;
将所述用户信息和/或客户端密钥信息与生成的所述业务密钥绑定。Binding the user information and/or client key information with the generated service key.
示例性的,第二客户端可以是业务密钥的所有者所对应的客户端,第二客户端可以在服务端生成其所有的业务密钥。例如公司的所有者可以是该业务密钥的所有者,因此其可以通过第二客户端在服务端生成其所拥有的业务密钥。生成操作包括:第二客户端 向服务端发送第二请求信息,该第二请求信息包括业务密钥的所有者的授权意图的相关信息,还包括所有者对应的第二客户端的用户信息和/或客户端密钥信息。该客户端密钥信息包括第二客户端的个人密钥的公钥和/或个人密钥的标识,如个人密钥ID,根据与所有者相关的用户信息、个人密钥的公钥和/或个人密钥的标识,并根据所有者的授权意图可以生成相应的业务密钥。本实施例中,可以将用户信息和/或客户端密钥信息与生成的业务密钥绑定,如将业务密钥、用户信息、客户端信息打包为数据包,并对数据包计算使其具有密钥校验码,该密钥校验码可以是数字签名,HMAC,CMAC等。将用户信息和/或客户端密钥信息与生成的业务密钥进行绑定,可以将业务密钥与其所有者的信息相关联。Exemplarily, the second client may be a client corresponding to the owner of the service key, and the second client may generate all its service keys at the server. For example, the owner of the company can be the owner of the service key, so it can generate the service key it owns on the server through the second client. The generating operation includes: the second client sends second request information to the server, where the second request information includes information about the authorization intention of the owner of the service key, and also includes user information of the second client corresponding to the owner and/or or client key information. The client key information includes the public key of the personal key of the second client and/or the identification of the personal key, such as the personal key ID, according to the user information associated with the owner, the public key of the personal key and/or The identity of the personal key, and the corresponding business key can be generated according to the owner's authorization intent. In this embodiment, the user information and/or client key information can be bound with the generated service key, for example, the service key, user information, and client information are packaged into data packets, and the data packets are calculated to make them Has a key check code, which can be a digital signature, HMAC, CMAC, etc. By binding the user information and/or client key information with the generated service key, the service key can be associated with its owner's information.
在一个实施例中,由于业务密钥的所有者也可以是该业务密钥的使用者,因此在该所有者需要使用业务密钥的情况下,也需要通过第二客户端来向服务端发送第一请求信息,以请求服务端调用业务密钥来处理预处理数据,在此情况下业务密钥的所有者所对应的第二客户端则与第一客户端等同。In one embodiment, since the owner of the service key can also be the user of the service key, if the owner needs to use the service key, the second client also needs to send the service key to the server. The first request information is to request the server to call the service key to process the preprocessed data. In this case, the second client corresponding to the owner of the service key is equivalent to the first client.
在本申请的一个实施例中,所述方法还包括获取所述业务密钥的操作,其中包括:In an embodiment of the present application, the method further includes an operation of obtaining the service key, including:
接收外部设备直接导入或通过第二客户端导入的所述业务密钥;receiving the service key directly imported by an external device or imported through a second client;
获取第二客户端发送的第二客户端中的用户信息和/或客户端密钥信息,其中,所述客户端密钥信息包括所述第二客户端中的个人密钥的公钥和/或个人密钥的标识;Obtain user information and/or client key information in the second client sent by the second client, wherein the client key information includes the public key of the personal key in the second client and/or or the identification of a personal key;
将所述用户信息和/或客户端密钥信息与获取到的所述业务密钥绑定。Bind the user information and/or client key information with the acquired service key.
示例性的,服务端获取业务密钥的方式并不仅限于自身生成,也能够通过其他方式获取。本实施例中,该业务密钥可以由外部设备(如手机盾或其他业务组织的设备)导入,导入的方式可以是由外部设备直接与服务端连接,从而实施导入操作,以使服务端获取并存储。或者外部设备将该业务密钥发送给第二客户端,即业务密钥的所有者所对应的客户端,由第二客户端将该业务密钥发送给服务端,以使服务端获取并存储。此外,第二客户端还将所有者所关联的用户信息和/或客户端密钥信息发送给服务端,其中,该客户端密钥信息包括第二客户端中的个人密钥的公钥和/或个人密钥的标识,如个人密钥ID。需要说明的是,第二客户端在发送业务密钥,以及用户信息和/或客户端密钥信息时,可以分别将其发送,也可以同时将业务密钥,以及用户信息和/或客户端密钥信息发送给服务端,发送方式在此并不限定。服务端接收到该用户信息和/或客户端密钥信息后,可以将用户信息和/或客户端密钥信息与获取到的业务密钥绑定,可以将业务密钥与其所有者的信息相关联。Exemplarily, the manner in which the server obtains the service key is not limited to its own generation, and can also be obtained in other manners. In this embodiment, the service key can be imported by an external device (such as a mobile phone shield or a device of other business organization), and the import method can be that the external device is directly connected to the server, so as to implement the import operation, so that the server can obtain the key. and store. Or the external device sends the service key to the second client, that is, the client corresponding to the owner of the service key, and the second client sends the service key to the server, so that the server can obtain and store the service key. . In addition, the second client sends user information and/or client key information associated with the owner to the server, wherein the client key information includes the public key of the personal key in the second client and/or the client key information. / or the identification of the personal key, such as the personal key ID. It should be noted that when the second client sends the service key and user information and/or client key information, it may send them separately, or may simultaneously send the service key, user information and/or client key information The key information is sent to the server, and the sending method is not limited here. After the server receives the user information and/or client key information, it can bind the user information and/or client key information with the obtained business key, and can associate the business key with the owner's information. link.
在本申请的一个实施例中,所述方法还包括接收所述第二客户端发送的经过了许可签名的许可信息,其中,所述许可信息还包括被授权人信息和/或被授权人个人密钥信息。In an embodiment of the present application, the method further includes receiving license information that is signed by the second client and sent by the second client, wherein the license information further includes licensee information and/or the licensee personally key information.
示例性的,该许可签名为业务密钥的所有者对应的第二客户端的个人密钥签名。而许可信息包括了被授权人信息和/或被授权人个人密钥信息。从而使得服务端在获取许可信息时,可以分析许可信息中的被授权人信息和/或被授权人个人密钥信息,进而判断该许可信息是否与第一客户端发出的第一请求信息相适配,例如第一请求信息中所包含的使用者的用户信息与许可信息中被授权人信息相一致,则可以获取相应的许可信息。Exemplarily, the license signature is a personal key signature of the second client corresponding to the owner of the service key. The license information includes licensee information and/or licensee personal key information. Therefore, when the server obtains the license information, it can analyze the licensee information and/or the licensee's personal key information in the license information, and then judge whether the license information is suitable for the first request information sent by the first client. For example, if the user information of the user contained in the first request information is consistent with the authorized person information in the license information, the corresponding license information can be obtained.
在本申请的一个实施例中,所述方法还包括接收所述第一客户端发送的所述待处理数据,其中,所述待处理数据被基于个人密钥对其实施了签名。In an embodiment of the present application, the method further includes receiving the data to be processed sent by the first client, wherein the data to be processed is signed based on a personal key.
示例性的,本实施中的待处理数据可以是第一客户端在向服务端发送第一请求信息的同时向服务端发送该待处理数据,而该待处理数据可以是第一客户端利用使用者相关的个人密钥对其实施签名,从而保证待处理数据在向服务端传输的过程中没有被修改,增加了待处理数据的安全性。Exemplarily, the data to be processed in this implementation may be that the first client sends the data to be processed to the server while sending the first request information to the server, and the data to be processed may be the data to be processed by the first client. It is signed by the personal key related to the user, so as to ensure that the data to be processed is not modified in the process of transmission to the server, which increases the security of the data to be processed.
在本申请的一个实施例中,所述方法还包括以下步骤:In an embodiment of the present application, the method further includes the following steps:
基于个人密钥的公钥对所述处理结果加密;encrypting the processing result based on the public key of the personal key;
将加密后的所述处理结果发送给所述第一客户端,以使所述第一客户端通过个人密钥的私钥对所述处理结果解密。The encrypted processing result is sent to the first client, so that the first client decrypts the processing result through the private key of the personal key.
示例性的,服务端在使用业务密钥对待处理数据处理后得到相应的处理结果,服务端可以将该处理结果反馈给第一客户端,从而满足业务密钥的使用者的使用需求。在发送该处理结果时服务端可以对该处理结果加密,从而保证了处理结果在传输过程中的安全性。例如服务端使用第一客户端对应的个人公钥对处理结果加密,第一客户端在接收到该处理结果后,可以使用第一客户端对应的个人私钥对其解密,从而获取具体的处理数据。Exemplarily, the server obtains a corresponding processing result after processing the data to be processed by using the service key, and the server can feed back the processing result to the first client, so as to meet the usage requirements of the user of the service key. When sending the processing result, the server can encrypt the processing result, thereby ensuring the security of the processing result during transmission. For example, the server uses the personal public key corresponding to the first client to encrypt the processing result. After receiving the processing result, the first client can decrypt it using the personal private key corresponding to the first client to obtain the specific processing result. data.
本申请实施例还提供了一种业务密钥的信息处理方法,应用于第一客户端,如图4所示,该方法包括以下步骤:The embodiment of the present application also provides a method for processing information of a service key, which is applied to the first client. As shown in FIG. 4 , the method includes the following steps:
S4,向服务端发送第一请求信息,以使所述服务端基于所述第一请求信息获取业务密钥对应的许可信息,其中,所述第一请求信息用于请求服务端使用存储的所述业务密钥处理待处理数据;所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识;所述许可信息包括至少一个针对使用所述业务密钥的许可条款。S4: Send the first request information to the server, so that the server obtains the license information corresponding to the service key based on the first request information, wherein the first request information is used to request the server to use the stored data the service key to process the data to be processed; the first request information includes at least one of the following: user information, personal key information and service key identification in the first client; the license information includes at least one License terms for the service key.
示例性的,服务端可以与一个或多个客户端连接,业务密钥的使用者或业务密钥的所有者均对应有相应的客户端。当然,业务密钥的所有者也同时可以为业务密钥的使用者,在此不作限定。本实施中,第一客户端可以是业务密钥的使用者所对应的客户端。第一客户端向服务端发送第一请求信息,以请求服务端使用保管的业务密钥来处理待处理数据。第一请求信息包括以下至少一个:第一客户端中的用户信息、个人密钥信息和业务密钥标识。其中,该用户信息可以是业务密钥的使用者的相关信息;个人密钥信息可以是使用者具有的个人密钥,如个人密钥的公钥和/或个人密钥的ID等;而业务密钥标识则可以是使用者提供的与其所请求的业务密钥的相关信息,如所请求使用的业务密钥的ID。Exemplarily, the server can be connected to one or more clients, and the user of the service key or the owner of the service key has corresponding clients. Of course, the owner of the service key can also be the user of the service key, which is not limited here. In this implementation, the first client may be the client corresponding to the user of the service key. The first client sends first request information to the server, so as to request the server to process the data to be processed by using the kept service key. The first request information includes at least one of the following: user information, personal key information and service key identification in the first client. Wherein, the user information can be the relevant information of the user of the service key; the personal key information can be the personal key possessed by the user, such as the public key of the personal key and/or the ID of the personal key, etc.; The key identifier may be information related to the service key requested by the user, such as the ID of the requested service key.
第一客户端向服务端发送了第一请求信息,服务端便可以根据第一请求信息中包含的至少一个特征信息来获取业务密钥对应的许可信息。例如根据使用者的用户信息、个人密钥信息和业务密钥标识来获取相应的许可信息,该许可信息可以是服务端预先存储,也可以是服务端从客户端获取。许可信息包括至少一个针对使用业务密钥的许可条款。该许可条款可以是业务密钥的所有者所许可的具体内容。当然同一个业务密钥如果对应了不同的第一客户端,则该许可条款可以并不相同。这使得业务密钥对于不同的使用者可以具有不同的使用方式,使用方式灵活。而该许可条款表征了该业务密钥的使用方式。例如许可生效时间、许可过期时间、许可使用次数以及用途信息等,从而在保证使用者使用该业务密钥的同时还确保了业务密钥并不能被非法使用。The first client sends the first request information to the server, and the server can obtain the license information corresponding to the service key according to at least one characteristic information included in the first request information. For example, the corresponding license information is acquired according to the user's user information, personal key information, and service key identifier. The license information may be pre-stored by the server or acquired by the server from the client. The license information includes at least one license term for using the service key. The license terms can be specific to what is licensed by the owner of the service key. Of course, if the same service key corresponds to different first clients, the license terms may not be the same. This enables the service key to have different usage modes for different users, and the usage modes are flexible. The license terms characterize how the service key is used. For example, the validity time of the license, the expiration time of the license, the number of times of use of the license, and the usage information, etc., so as to ensure that the user can use the service key while also ensuring that the service key cannot be illegally used.
S5,接收所述服务端发送的处理结果,其中,所述处理结果为所述服务端在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理生成的结果。S5: Receive a processing result sent by the server, wherein the processing result is that the server calls the service key to the pending processing when determining that the license information meets the first preset condition. The result of data processing.
服务端需要对许可信息分析判断,以确保许可信息有效而且许可信息也需要与第一请求信息所表达的用户以及业务密钥的功能相适配。本实施例中需要对许可信息分析和判断,以确定该许可信息符合第一预设条件,在其符合第一预设条件的情况下服务端可以调用业务密钥对待处理数据处理,生成相应的处理结果,而服务端也可以将该处理结果发送给第一客户端,从而满足了业务密钥的使用者的使用需求。此外,对于第一预设条件的具体内容,可以根据实际使用需求来设定,例如可以根据业务密钥的具体内容,以及服务端对业务密钥的保密程度来设定。The server needs to analyze and judge the license information to ensure that the license information is valid and the license information also needs to be adapted to the functions of the user and the service key expressed by the first request information. In this embodiment, the license information needs to be analyzed and judged to determine that the license information complies with the first preset condition. If the license information meets the first preset condition, the server can call the service key to process the data to be processed, and generate the corresponding The processing result is processed, and the server can also send the processing result to the first client, thereby meeting the usage requirements of the user of the service key. In addition, the specific content of the first preset condition may be set according to actual usage requirements, for example, it may be set according to the specific content of the service key and the degree of confidentiality of the service key by the server.
本申请实施例还提供了一种服务端,该服务端可以为服务器或者其他具有与服务器相似功能的电子设备,如图5所示,包括:The embodiment of the present application also provides a server, and the server may be a server or other electronic device with functions similar to the server, as shown in FIG. 5 , including:
第一获取模块,其配置为:获取第一客户端发送的第一请求信息,其中,所述第一请求信息用于请求服务端使用存储的业务密钥处理待处理数据,所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识。a first obtaining module, configured to: obtain first request information sent by a first client, wherein the first request information is used to request the server to use the stored service key to process data to be processed, and the first request The information includes at least one of the following: user information, personal key information and service key identification in the first client.
第二获取模块,其配置为:基于所述第一请求信息获取所述业务密钥对应的许可信息,其中,所述许可信息包括至少一个针对使用所述业务密钥的许可条款;A second obtaining module, configured to: obtain license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
处理模块,其配置为:在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,生成相应的处理结果。A processing module, which is configured to: in the case of determining that the license information meets the first preset condition, call the service key to process the data to be processed, and generate a corresponding processing result.
示例性的,服务端可以与一个或多个客户端连接,业务密钥的使用者或业务密钥的所有者均对应有相应的客户端。当然,业务密钥的所有者也同时可以为业务密钥的使用者,在此不作限定。本实施中,第一客户端可以是业务密钥的使用者所对应的客户端。第一客户端向服务端发送第一请求信息,第一获取模块获取第一客户端发送的第一请求信息。该第一请求信息为第一客户端请求服务端使用保管的业务密钥来处理待处理数据。第一请求信息包括以下至少一个:第一客户端中的用户信息、个人密钥信息和业务密钥标识。其中,该用户信息可以是业务密钥的使用者的相关信息;个人密钥信息可以是使用者具有的个人密钥,如个人密钥的公钥和/或个人密钥的ID等;而业务密钥标识则可以是使用者提供的与其所请求的业务密钥的相关信息,如所请求使用的业务密钥的ID。Exemplarily, the server can be connected to one or more clients, and the user of the service key or the owner of the service key has corresponding clients. Of course, the owner of the service key can also be the user of the service key, which is not limited here. In this implementation, the first client may be the client corresponding to the user of the service key. The first client sends the first request information to the server, and the first obtaining module obtains the first request information sent by the first client. The first request information is that the first client requests the server to use the kept service key to process the data to be processed. The first request information includes at least one of the following: user information, personal key information and service key identification in the first client. Wherein, the user information can be the relevant information of the user of the service key; the personal key information can be the personal key possessed by the user, such as the public key of the personal key and/or the ID of the personal key, etc.; The key identifier may be information related to the service key requested by the user, such as the ID of the requested service key.
第二获取模块接收到第一请求信息,便可以根据第一请求信息中包含的至少一个特征信息来获取业务密钥对应的许可信息。例如根据使用者的用户信息、个人密钥信息和业务密钥标识来获取相应的许可信息,该许可信息可以是服务端预先存储,也可以是服务端从客户端获取。许可信息包括至少一个针对使用业务密钥的许可条款。该许可条款可以是业务密钥的所有者所许可的具体内容。当然同一个业务密钥如果对应了不同的第一客户端,则该许可条款可以并不相同。这使得业务密钥对于不同的使用者可以具有不同的使用方式,使用方式灵活。而该许可条款表征了该业务密钥的使用方式。例如许可生效时间、许可过期时间、许可使用次数以及用途信息等,从而在保证使用者使用该业务密钥的同时还确保了业务密钥并不能被非法使用。After receiving the first request information, the second obtaining module can obtain the license information corresponding to the service key according to at least one feature information included in the first request information. For example, the corresponding license information is acquired according to the user's user information, personal key information, and service key identifier. The license information may be pre-stored by the server or acquired by the server from the client. The license information includes at least one license term for using the service key. The license terms can be specific to what is licensed by the owner of the service key. Of course, if the same service key corresponds to different first clients, the license terms may not be the same. This enables the service key to have different usage modes for different users, and the usage modes are flexible. The license terms characterize how the service key is used. For example, the validity time of the license, the expiration time of the license, the number of times of use of the license, and the usage information, etc., so as to ensure that the user can use the service key while also ensuring that the service key cannot be illegally used.
处理模块需要对许可信息分析判断,以确保许可信息有效而且许可信息也需要与第一请求信息所表达的用户以及业务密钥的功能相适配。本实施例中处理模块需要对许可信息分析和判断,以确定该许可信息符合第一预设条件,在其符合第一预设条件的情况下服务端可以调用业务密钥对待处理数据处理,生成相应的处理结果,而服务端也可以将该处理结果发送给第一客户端,从而满足了业务密钥的使用者的使用需求。此外,对 于第一预设条件的具体内容,可以根据实际使用需求来设定,例如可以根据业务密钥的具体内容,以及服务端对业务密钥的保密程度来设定。The processing module needs to analyze and judge the license information to ensure that the license information is valid and the license information also needs to be adapted to the functions of the user and the service key expressed by the first request information. In this embodiment, the processing module needs to analyze and judge the license information to determine that the license information complies with the first preset condition. If the license information meets the first preset condition, the server can call the service key to process the data to be processed and generate Corresponding processing results, and the server can also send the processing results to the first client, thereby meeting the usage requirements of users of the service key. In addition, the specific content of the first preset condition can be set according to actual use requirements, for example, it can be set according to the specific content of the service key and the degree of confidentiality of the service key by the server.
在本申请的一个实施例中,处理模块进一步配置为:In an embodiment of the present application, the processing module is further configured to:
获取所述许可信息的许可签名;obtain a license signature of the license information;
在所述许可签名有效的情况下,基于所述许可签名,确定所述许可信息是否有效,其中所述第一预设条件包括所述许可信息有效的条件。In the case that the license signature is valid, based on the license signature, it is determined whether the license information is valid, wherein the first preset condition includes a condition that the license information is valid.
在本申请的一个实施例中,处理模块进一步配置为:In an embodiment of the present application, the processing module is further configured to:
获取所述许可条款中使用所述业务密钥的第一用途信息,获取所述第一请求信息中使用所述业务密钥的第二用途信息;acquiring first usage information of the service key in the license clause, and acquiring second usage information of the service key in the first request information;
确定所述第一用途信息是否与所述第二用途信息相一致,其中,所述第一预设条件包括所述第一用途信息与所述第二用途信息相一致的条件。It is determined whether the first use information is consistent with the second use information, wherein the first preset condition includes a condition that the first use information is consistent with the second use information.
在本申请的一个实施例中,第二获取模块进一步配置为:In an embodiment of the present application, the second obtaining module is further configured to:
基于所述第一客户端中的用户信息、个人密钥信息和业务密钥标识其中至少一个获取所述业务密钥对应的许可信息。Obtain license information corresponding to the service key based on at least one of user information, personal key information and service key identification in the first client.
在本申请的一个实施例中,所述服务端还包括生成模块,所述生成模块配置为:In an embodiment of the present application, the server further includes a generation module, and the generation module is configured as:
获取第二客户端发送的第二请求信息,其中所述第二请求信息包括所述第二客户端中的用户信息和/或客户端密钥信息,其中,所述客户端密钥信息包括所述第二客户端中的个人密钥的公钥和/或个人密钥的标识;Acquire second request information sent by a second client, wherein the second request information includes user information and/or client key information in the second client, wherein the client key information includes all the public key of the personal key and/or the identity of the personal key in the second client;
基于所述第二请求信息生成相应的业务密钥;generating a corresponding service key based on the second request information;
将所述用户信息和/或客户端密钥信息与生成的所述业务密钥绑定。Binding the user information and/or client key information with the generated service key.
在本申请的一个实施例中,所述服务端还包括生成模块,所述生成模块配置为:In an embodiment of the present application, the server further includes a generation module, and the generation module is configured as:
接收外部设备直接导入或通过第二客户端导入的所述业务密钥;receiving the service key directly imported by an external device or imported through a second client;
获取第二客户端发送的第二客户端中的用户信息和/或客户端密钥信息,其中,所述客户端密钥信息包括所述第二客户端中的个人密钥的公钥和/或个人密钥的标识;Obtain user information and/or client key information in the second client sent by the second client, wherein the client key information includes the public key of the personal key in the second client and/or or the identification of a personal key;
将所述用户信息和/或客户端密钥信息与获取到的所述业务密钥绑定。Bind the user information and/or client key information with the acquired service key.
在本申请的一个实施例中,第二获取模块进一步配置为:In an embodiment of the present application, the second obtaining module is further configured to:
接收所述第二客户端发送的经过了许可签名的许可信息,其中,所述许可信息还包括被授权人信息和/或被授权人个人密钥信息。Receive the license information sent by the second client and signed by the license, wherein the license information further includes the licensee information and/or the licensee's personal key information.
在本申请的一个实施例中,第一获取模块进一步配置为:In an embodiment of the present application, the first acquisition module is further configured to:
接收所述第一客户端发送的所述待处理数据,其中,所述待处理数据被基于个人密钥对其实施了签名。The data to be processed sent by the first client is received, wherein the data to be processed is signed based on a personal key.
在本申请的一个实施例中,所述处理模块进一步配置为:In an embodiment of the present application, the processing module is further configured to:
基于个人密钥的公钥对所述处理结果加密;encrypting the processing result based on the public key of the personal key;
将加密后的所述处理结果发送给所述第一客户端,以使所述第一客户端通过个人密钥的私钥对所述处理结果解密。The encrypted processing result is sent to the first client, so that the first client decrypts the processing result through the private key of the personal key.
在本申请的一个实施例中,其中,所述许可条款包括以下至少一个:许可生效时间、许可过期时间、许可使用次数以及用途信息。In an embodiment of the present application, the license terms include at least one of the following: license effective time, license expiration time, license usage times, and usage information.
本申请实施例还提供了一种信息处理系统,包括如上所述的服务端,还包括至少一个如上所述的第一客户端。当然该系统还可以包括第二客户端。其中第一客户端可以为业务密钥使用者所对应的客户端,而第二客户端则可以为业务密钥的所有者所对应的客户端。Embodiments of the present application further provide an information processing system, including the above-mentioned server, and at least one of the above-mentioned first clients. Of course, the system may also include a second client. The first client may be the client corresponding to the user of the service key, and the second client may be the client corresponding to the owner of the service key.
本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当所述指令在计算机上运行时,实现如下步骤:Embodiments of the present application further provide a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are run on a computer, the following steps are implemented:
获取第一客户端发送的第一请求信息,其中,所述第一请求信息用于请求服务端使用存储的业务密钥处理待处理数据,所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识;Obtain the first request information sent by the first client, where the first request information is used to request the server to use the stored service key to process the data to be processed, and the first request information includes at least one of the following: User information, personal key information and service key identification in a client;
基于所述第一请求信息获取所述业务密钥对应的许可信息,其中,所述许可信息包括至少一个针对使用所述业务密钥的许可条款;Obtain license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,生成相应的处理结果。When it is determined that the license information meets the first preset condition, the service key is invoked to process the data to be processed, and a corresponding processing result is generated.
示例性的,服务端可以与一个或多个客户端连接,业务密钥的使用者或业务密钥的所有者均对应有相应的客户端。当然,业务密钥的所有者也同时可以为业务密钥的使用者,在此不作限定。本实施中,第一客户端可以是业务密钥的使用者所对应的客户端。第一客户端向服务端发送第一请求信息,以请求服务端使用保管的业务密钥来处理待处理数据。第一请求信息包括以下至少一个:第一客户端中的用户信息、个人密钥信息和业务密钥标识。其中,该用户信息可以是业务密钥的使用者的相关信息;个人密钥信息可以是使用者具有的个人密钥,如个人密钥的公钥和/或个人密钥的ID等;而业务密钥标识则可以是使用者提供的与其所请求的业务密钥的相关信息,如所请求使用的业务密钥的ID。Exemplarily, the server can be connected to one or more clients, and the user of the service key or the owner of the service key has corresponding clients. Of course, the owner of the service key can also be the user of the service key, which is not limited here. In this implementation, the first client may be the client corresponding to the user of the service key. The first client sends first request information to the server, so as to request the server to process the data to be processed by using the kept service key. The first request information includes at least one of the following: user information, personal key information and service key identification in the first client. Wherein, the user information can be the relevant information of the user of the service key; the personal key information can be the personal key possessed by the user, such as the public key of the personal key and/or the ID of the personal key, etc.; The key identifier may be information related to the service key requested by the user, such as the ID of the requested service key.
服务端接收到第一请求信息,便可以根据第一请求信息中包含的至少一个特征信息来获取业务密钥对应的许可信息。例如根据使用者的用户信息、个人密钥信息和业务密钥标识来获取相应的许可信息,该许可信息可以是服务端预先存储,也可以是服务端从 客户端获取。许可信息包括至少一个针对使用业务密钥的许可条款。该许可条款可以是业务密钥的所有者所许可的具体内容。当然同一个业务密钥如果对应了不同的第一客户端,则该许可条款可以并不相同。这使得业务密钥对于不同的使用者可以具有不同的使用方式,使用方式灵活。而该许可条款表征了该业务密钥的使用方式。例如许可生效时间、许可过期时间、许可使用次数以及用途信息等,从而在保证使用者使用该业务密钥的同时还确保了业务密钥并不能被非法使用。After receiving the first request information, the server can obtain the license information corresponding to the service key according to at least one feature information included in the first request information. For example, the corresponding license information is obtained according to the user's user information, personal key information and service key identifier. The license information can be pre-stored by the server or obtained by the server from the client. The license information includes at least one license term for using the service key. The license terms can be specific to what is licensed by the owner of the service key. Of course, if the same service key corresponds to different first clients, the license terms may not be the same. This enables the service key to have different usage modes for different users, and the usage modes are flexible. The license terms characterize how the service key is used. For example, the validity time of the license, the expiration time of the license, the number of times of use of the license, and the usage information, etc., so as to ensure that the user can use the service key while also ensuring that the service key cannot be illegally used.
服务端需要对许可信息分析判断,以确保许可信息有效而且许可信息也需要与第一请求信息所表达的用户以及业务密钥的功能相适配。本实施例中需要对许可信息分析和判断,以确定该许可信息符合第一预设条件,在其符合第一预设条件的情况下服务端可以调用业务密钥对待处理数据处理,生成相应的处理结果,而服务端也可以将该处理结果发送给第一客户端,从而满足了业务密钥的使用者的使用需求。此外,对于第一预设条件的具体内容,可以根据实际使用需求来设定,例如可以根据业务密钥的具体内容,以及服务端对业务密钥的保密程度来设定。The server needs to analyze and judge the license information to ensure that the license information is valid and the license information also needs to be adapted to the functions of the user and the service key expressed by the first request information. In this embodiment, the license information needs to be analyzed and judged to determine that the license information complies with the first preset condition. If the license information meets the first preset condition, the server can call the service key to process the data to be processed, and generate the corresponding The processing result is processed, and the server can also send the processing result to the first client, thereby meeting the usage requirements of the user of the service key. In addition, the specific content of the first preset condition may be set according to actual usage requirements, for example, it may be set according to the specific content of the service key and the degree of confidentiality of the service key by the server.
以上实施例仅为本申请的示例性实施例,不用于限制本申请,本申请的保护范围由权利要求书限定。本领域技术人员可以在本申请的实质和保护范围内,对本申请做出各种修改或等同替换,这种修改或等同替换也应视为落在本申请的保护范围内。The above embodiments are only exemplary embodiments of the present application, and are not intended to limit the present application. The protection scope of the present application is defined by the claims. Those skilled in the art can make various modifications or equivalent replacements to the present application within the spirit and protection scope of the present application, and such modifications or equivalent replacements should also be regarded as falling within the protection scope of the present application.

Claims (16)

  1. 一种业务密钥的信息处理方法,其特征在于,应用于服务端,包括:An information processing method for a business key, characterized in that, applied to a server, comprising:
    获取第一客户端发送的第一请求信息,其中,所述第一请求信息用于请求服务端使用存储的业务密钥处理待处理数据,所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识;Obtain the first request information sent by the first client, where the first request information is used to request the server to use the stored service key to process the data to be processed, and the first request information includes at least one of the following: User information, personal key information and service key identification in a client;
    基于所述第一请求信息获取所述业务密钥对应的许可信息,其中,所述许可信息包括至少一个针对使用所述业务密钥的许可条款;Obtain license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
    在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,生成相应的处理结果。When it is determined that the license information meets the first preset condition, the service key is invoked to process the data to be processed, and a corresponding processing result is generated.
  2. 根据权利要求1所述的方法,其特征在于,所述的在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,包括:The method according to claim 1, wherein when it is determined that the license information complies with a first preset condition, invoking the service key to process the data to be processed comprises:
    获取所述许可信息的许可签名;obtain a license signature of the license information;
    在所述许可签名有效的情况下,基于所述许可签名,确定所述许可信息是否有效,其中所述第一预设条件包括所述许可信息有效的条件。In the case that the license signature is valid, based on the license signature, it is determined whether the license information is valid, wherein the first preset condition includes a condition that the license information is valid.
  3. 根据权利要求1所述的方法,其特征在于,所述的在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,包括:The method according to claim 1, wherein when it is determined that the license information complies with a first preset condition, invoking the service key to process the data to be processed comprises:
    获取所述许可条款中使用所述业务密钥的第一用途信息,获取所述第一请求信息中使用所述业务密钥的第二用途信息;acquiring first usage information of the service key in the license clause, and acquiring second usage information of the service key in the first request information;
    确定所述第一用途信息是否与所述第二用途信息相一致,其中,所述第一预设条件包括所述第一用途信息与所述第二用途信息相一致的条件。It is determined whether the first use information is consistent with the second use information, wherein the first preset condition includes a condition that the first use information is consistent with the second use information.
  4. 根据权利要求1所述的方法,其特征在于,所述调用所述业务密钥对所述待处理数据处理,包括:The method according to claim 1, wherein the invoking the service key to process the data to be processed comprises:
    利用特定密钥解密所述业务密钥;decrypt the service key with a specific key;
    调用加密机使用所述业务密钥处理所述待处理数据,生成相应的处理结果。The encryption machine is called to process the data to be processed by using the service key, and a corresponding processing result is generated.
  5. 根据权利要求1所述的方法,其特征在于,所述的基于所述第一请求信息获取所述业务密钥对应的许可信息,具体包括:The method according to claim 1, wherein the obtaining the license information corresponding to the service key based on the first request information specifically includes:
    基于所述第一客户端中的用户信息、个人密钥信息和业务密钥标识其中至少一个获取所述业务密钥对应的许可信息。Obtain license information corresponding to the service key based on at least one of user information, personal key information and service key identification in the first client.
  6. 根据权利要求1所述的方法,其特征在于,所述第一请求信息还包括所述业务密钥的请求使用者的第一生物特征;所述方法还包括:The method according to claim 1, wherein the first request information further comprises a first biometric feature of a user who requests the service key; the method further comprises:
    分别对所述许可信息和所述第一生物特征分析,确定所述许可信息是否符合所述第一预设条件,以及所述第一生物特征是否符合第二预设条件;Analyzing the permission information and the first biometric feature respectively, to determine whether the permission information meets the first preset condition, and whether the first biometric feature meets the second preset condition;
    相应的,所述在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,包括:Correspondingly, when it is determined that the license information meets the first preset condition, invoking the service key to process the data to be processed includes:
    在确定所述许可信息符合第一预设条件,以及所述第一生物特征符合第二预设条件的情况下,调用所述业务密钥对所述待处理数据处理。When it is determined that the license information meets the first preset condition and the first biometric feature meets the second preset condition, the service key is invoked to process the data to be processed.
  7. 根据权利要求1所述的方法,其特征在于,所述方法还包括获取所述业务密钥的操作,其中包括:The method according to claim 1, wherein the method further comprises the operation of obtaining the service key, which includes:
    获取第二客户端发送的第二请求信息,其中所述第二请求信息包括所述第二客户端中的用户信息和/或客户端密钥信息,其中,所述客户端密钥信息包括所述第二客户端中的个人密钥的公钥和/或个人密钥的标识;Acquire second request information sent by a second client, wherein the second request information includes user information and/or client key information in the second client, wherein the client key information includes all the public key of the personal key and/or the identity of the personal key in the second client;
    基于所述第二请求信息生成相应的业务密钥;generating a corresponding service key based on the second request information;
    将所述用户信息和/或客户端密钥信息与生成的所述业务密钥绑定。Binding the user information and/or client key information with the generated service key.
  8. 根据权利要求1所述的方法,其特征在于,所述方法还包括获取所述业务密钥的操作,其中包括:The method according to claim 1, wherein the method further comprises the operation of obtaining the service key, which includes:
    接收外部设备直接导入或通过第二客户端导入的所述业务密钥;receiving the service key directly imported by an external device or imported through a second client;
    获取第二客户端发送的第二客户端中的用户信息和/或客户端密钥信息,其中,所述客户端密钥信息包括所述第二客户端中的个人密钥的公钥和/或个人密钥的标识;Obtain user information and/or client key information in the second client sent by the second client, wherein the client key information includes the public key of the personal key in the second client and/or or the identification of a personal key;
    将所述用户信息和/或客户端密钥信息与获取到的所述业务密钥绑定。Bind the user information and/or client key information with the acquired service key.
  9. 根据权利要求7所述的方法,其特征在于,所述方法还包括接收所述第二客户端发送的经过了许可签名的许可信息,其中,所述许可信息还包括被授权人信息和/或被授权人个人密钥信息。The method according to claim 7, characterized in that, the method further comprises receiving license information that is signed by the second client and sent by the second client, wherein the license information further includes licensee information and/or Licensee personal key information.
  10. 根据权利要求1所述的方法,其特征在于,所述方法还包括接收所述第一客户端发送的所述待处理数据,其中,所述待处理数据被基于个人密钥对其实施了签名。The method of claim 1, further comprising receiving the data to be processed sent by the first client, wherein the data to be processed is signed based on a personal key .
  11. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, wherein the method further comprises:
    基于个人密钥的公钥对所述处理结果加密;encrypting the processing result based on the public key of the personal key;
    将加密后的所述处理结果发送给所述第一客户端,以使所述第一客户端通过个人密钥的私钥对所述处理结果解密。The encrypted processing result is sent to the first client, so that the first client decrypts the processing result through the private key of the personal key.
  12. 根据权利要求1所述的方法,其特征在于,其中,所述许可条款包括以下至少一个:许可生效时间、许可过期时间、许可使用次数以及用途信息。The method according to claim 1, wherein the license terms include at least one of the following: license effective time, license expiration time, license usage times, and usage information.
  13. 一种业务密钥的信息处理方法,其特征在于,应用于第一客户端,包括:An information processing method for a service key, characterized in that, applied to a first client, comprising:
    向服务端发送第一请求信息,以使所述服务端基于所述第一请求信息获取业务密钥对应的许可信息,其中,所述第一请求信息用于请求服务端使用存储的所述业务密钥处理待处理数据;所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识;所述许可信息包括至少一个针对使用所述业务密钥的许可条款;Send the first request information to the server, so that the server obtains the license information corresponding to the service key based on the first request information, wherein the first request information is used to request the server to use the stored service key processing data to be processed; the first request information includes at least one of the following: user information, personal key information and service key identification in the first client; the license information includes at least one License terms for Business Keys;
    接收所述服务端发送的处理结果,其中,所述处理结果为所述服务端在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理生成的结果。Receive the processing result sent by the server, wherein the processing result is that the server calls the service key to process the data to be processed when it is determined that the license information meets the first preset condition generated result.
  14. 一种服务端,其特征在于,包括:A server, characterized in that it includes:
    第一获取模块,其配置为:获取第一客户端发送的第一请求信息,其中,所述第一请求信息用于请求服务端使用存储的业务密钥处理待处理数据,所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识;a first obtaining module, configured to: obtain first request information sent by a first client, wherein the first request information is used to request the server to use the stored service key to process data to be processed, and the first request The information includes at least one of the following: user information, personal key information and service key identification in the first client;
    第二获取模块,其配置为:基于所述第一请求信息获取所述业务密钥对应的许可信息,其中,所述许可信息包括至少一个针对使用所述业务密钥的许可条款;A second obtaining module, configured to: obtain license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
    处理模块,其配置为:在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,生成相应的处理结果。A processing module, which is configured to: in the case of determining that the license information meets the first preset condition, call the service key to process the data to be processed, and generate a corresponding processing result.
  15. 一种信息处理系统,其特征在于,包括如权利要求1至12任意一项所述的服务端,还包括至少一个如权利要求1至12任意一项所述的第一客户端。An information processing system, characterized by comprising the server according to any one of claims 1 to 12, and at least one first client according to any one of claims 1 to 12.
  16. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当所述指令在计算机上运行时,实现如下步骤:A computer-readable storage medium, characterized in that the computer-readable storage medium stores instructions, and when the instructions are executed on a computer, the following steps are implemented:
    获取第一客户端发送的第一请求信息,其中,所述第一请求信息用于请求服务端使用存储的业务密钥处理待处理数据,所述第一请求信息包括以下至少一个:所述第一客户端中的用户信息、个人密钥信息和业务密钥标识;Obtain the first request information sent by the first client, where the first request information is used to request the server to use the stored service key to process the data to be processed, and the first request information includes at least one of the following: User information, personal key information and service key identification in a client;
    基于所述第一请求信息获取所述业务密钥对应的许可信息,其中,所述许可信息包括至少一个针对使用所述业务密钥的许可条款;Obtain license information corresponding to the service key based on the first request information, wherein the license information includes at least one license clause for using the service key;
    在确定所述许可信息符合第一预设条件的情况下,调用所述业务密钥对所述待处理数据处理,生成相应的处理结果。When it is determined that the license information meets the first preset condition, the service key is invoked to process the data to be processed, and a corresponding processing result is generated.
PCT/CN2021/136418 2020-12-09 2021-12-08 Information processing method for service key, and serving end and system WO2022121940A1 (en)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
CN202011449128.8A CN112565281B (en) 2020-12-09 2020-12-09 Information processing method, server and system of service key
CN202011449128.8 2020-12-09
CN202011511456.6 2020-12-18
CN202011511456.6A CN112671534B (en) 2020-12-18 2020-12-18 Service key management method, service terminal and system based on biological characteristics
CN202011610457.6 2020-12-30
CN202011610457.6A CN112733200B (en) 2020-12-30 2020-12-30 Information processing method, encryption machine and information processing system of service key

Publications (1)

Publication Number Publication Date
WO2022121940A1 true WO2022121940A1 (en) 2022-06-16

Family

ID=81973076

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/136418 WO2022121940A1 (en) 2020-12-09 2021-12-08 Information processing method for service key, and serving end and system

Country Status (1)

Country Link
WO (1) WO2022121940A1 (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120051540A1 (en) * 2010-08-24 2012-03-01 Electronics And Telecommunications Research Institute Conditional access system and method of using conditional access image
CN107070879A (en) * 2017-02-15 2017-08-18 北京深思数盾科技股份有限公司 Data guard method and system
CN108199838A (en) * 2018-01-31 2018-06-22 北京深思数盾科技股份有限公司 A kind of data guard method and device
CN111130803A (en) * 2019-12-26 2020-05-08 信安神州科技(广州)有限公司 Method, system and device for digital signature
CN111327637A (en) * 2020-03-10 2020-06-23 时时同云科技(成都)有限责任公司 Service key management method and system
CN111797430A (en) * 2020-06-30 2020-10-20 平安国际智慧城市科技股份有限公司 Data verification method, device, server and storage medium
CN112565281A (en) * 2020-12-09 2021-03-26 北京深思数盾科技股份有限公司 Information processing method, server and system of service key
CN112671534A (en) * 2020-12-18 2021-04-16 北京深思数盾科技股份有限公司 Service key management method, service terminal and system based on biological characteristics
CN112733200A (en) * 2020-12-30 2021-04-30 北京深思数盾科技股份有限公司 Information processing method, encryption machine and information processing system of service key

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120051540A1 (en) * 2010-08-24 2012-03-01 Electronics And Telecommunications Research Institute Conditional access system and method of using conditional access image
CN107070879A (en) * 2017-02-15 2017-08-18 北京深思数盾科技股份有限公司 Data guard method and system
CN108199838A (en) * 2018-01-31 2018-06-22 北京深思数盾科技股份有限公司 A kind of data guard method and device
CN111130803A (en) * 2019-12-26 2020-05-08 信安神州科技(广州)有限公司 Method, system and device for digital signature
CN111327637A (en) * 2020-03-10 2020-06-23 时时同云科技(成都)有限责任公司 Service key management method and system
CN111797430A (en) * 2020-06-30 2020-10-20 平安国际智慧城市科技股份有限公司 Data verification method, device, server and storage medium
CN112565281A (en) * 2020-12-09 2021-03-26 北京深思数盾科技股份有限公司 Information processing method, server and system of service key
CN112671534A (en) * 2020-12-18 2021-04-16 北京深思数盾科技股份有限公司 Service key management method, service terminal and system based on biological characteristics
CN112733200A (en) * 2020-12-30 2021-04-30 北京深思数盾科技股份有限公司 Information processing method, encryption machine and information processing system of service key

Similar Documents

Publication Publication Date Title
US20200228335A1 (en) Authentication system for enhancing network security
WO2019233204A1 (en) Method, apparatus and system for key management, storage medium, and computer device
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
US9654468B2 (en) System and method for secure remote biometric authentication
US7797544B2 (en) Attesting to establish trust between computer entities
TWI454111B (en) Techniques for ensuring authentication and integrity of communications
TWI578749B (en) Methods and apparatus for migrating keys
CN112187724B (en) Access control method, device, gateway, client and security token service
US20120284506A1 (en) Methods and apparatus for preventing crimeware attacks
US11556617B2 (en) Authentication translation
WO2020173332A1 (en) Trusted execution environment-based application activation method and apparatus
WO2021120615A1 (en) Encryption apparatus, encryption system and data encryption method
CN112565281B (en) Information processing method, server and system of service key
CN111954211B (en) Novel authentication key negotiation system of mobile terminal
WO2021190197A1 (en) Method and apparatus for authenticating biometric payment device, computer device and storage medium
US10867056B2 (en) Method and system for data protection
DK2414983T3 (en) Secure computer system
US20180262471A1 (en) Identity verification and authentication method and system
KR102010776B1 (en) Method for password processing based on blockchain, method for user login authentication and server using the same
CN112733200B (en) Information processing method, encryption machine and information processing system of service key
CN112671534B (en) Service key management method, service terminal and system based on biological characteristics
JPH10336172A (en) Managing method of public key for electronic authentication
JPH11353280A (en) Identity confirmation method and system by means of encipherment of secret data
CN110807210A (en) Information processing method, platform, system and computer storage medium
WO2022121940A1 (en) Information processing method for service key, and serving end and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21902645

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21902645

Country of ref document: EP

Kind code of ref document: A1