CN111083132A - Safe access method and system for web application with sensitive data - Google Patents
Safe access method and system for web application with sensitive data Download PDFInfo
- Publication number
- CN111083132A CN111083132A CN201911263373.7A CN201911263373A CN111083132A CN 111083132 A CN111083132 A CN 111083132A CN 201911263373 A CN201911263373 A CN 201911263373A CN 111083132 A CN111083132 A CN 111083132A
- Authority
- CN
- China
- Prior art keywords
- module
- certificate
- user
- web application
- browser
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 230000002159 abnormal effect Effects 0.000 claims abstract description 32
- 238000012544 monitoring process Methods 0.000 claims abstract description 29
- 230000008569 process Effects 0.000 claims abstract description 5
- 230000002457 bidirectional effect Effects 0.000 claims description 16
- 238000004806 packaging method and process Methods 0.000 claims description 11
- 238000005516 engineering process Methods 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 6
- 230000005856 abnormality Effects 0.000 claims description 4
- 238000004140 cleaning Methods 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 238000005538 encapsulation Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 8
- 230000006854 communication Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 210000000056 organ Anatomy 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000002904 solvent Substances 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a safe access method and a system for web application with sensitive data, wherein the system comprises the following steps: user side unit, https proxy gateway, CA center. The user side unit is used for detecting a software operating environment, a user certificate and verifying the legality of computer hardware bound by a user, accessing web application with sensitive data, uploading computer hardware information and local cache data of a safety protection special browser; the https proxy gateway is used for verifying a connection request of the special browser, web application proxy, recording hardware information of the user side unit, monitoring computer hardware information uploaded by a user side, monitoring abnormal access and recording logs; and the CA center is used for being responsible for application and issuance of the user certificate and process management of the user certificate. According to the scheme of the invention, the terminal information is safely protected, and the access legality, safety and abnormal protection under emergency are ensured. And the whole-process data safety protection is realized.
Description
Technical Field
The invention relates to the field of information security, in particular to a secure access method and a system for web application with sensitive data.
Background
Currently, with the development of internet technology, a large number of web-based applications have come to be shipped, which facilitate the user's clothes and housing. The web application suitable for enterprise users also improves the operation efficiency of enterprises and reduces the operation cost.
The wide use of web applications brings convenience to various users, and brings security problems, such as disclosure of personal privacy, theft of sensitive data of enterprise users, and the like. Particularly, sensitive data circulated on internal web applications of enterprises, public institutions and state organs can cause immeasurable loss once being stolen by unauthorized people. Therefore, there is a need for a secure access method for web applications with sensitive data to prevent unauthorized access.
Fig. 1 illustrates a prior art VPN-based web application access method, which uses a user name, a password or a combination certificate to verify the validity of a user and accesses a web application through a VPN, thereby ensuring the security of a link between a terminal and a server and preventing a communication process from being monitored. However, the method does not ensure the security and the validity of the terminal environment, and the VPN cannot detect abnormal access, and cannot automatically disconnect the VPN when abnormal access exists, so as to reduce the loss.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method and a system for safely accessing a web application with sensitive data, which are used for solving the technical problems that the safety of a terminal environment cannot be ensured and the safety protection is realized when the abnormal condition of a link is detected in the prior art.
According to a first aspect of the present invention there is provided a secure access system for a web application having sensitive data, comprising:
the system comprises a user side unit, an https proxy gateway and a CA center;
the user side unit comprises a special browser and a user hardware certificate usbkey, also called a user certificate; the special browser is used for detecting a software running environment, a user certificate and verifying the legality of computer hardware bound by a user, accessing web application with sensitive data, uploading computer hardware information and local cache data of the special browser for safety protection; detecting an operating environment before the special browser operates, checking whether a user hardware certificate usbkey is matched with the current hardware environment, and if not, forbidding access to the web application; the special browser uploads computer hardware information to the https proxy gateway; the special browser encrypts the local cache data of the browser to safely protect the local cache data of the special browser;
the https proxy gateway is used for verifying a connection request of the special browser, web application proxy, recording hardware information of the user side unit, monitoring computer hardware information uploaded by a user side, monitoring abnormal access and recording logs; the https proxy gateway and the special browser adopt https bidirectional authentication technology to ensure link security; the https proxy gateway disconnects network connection when monitoring that computer hardware information uploaded by a user side is abnormal;
and the CA center is used for being responsible for application and issuance of the user certificate and process management of the user certificate.
Furthermore, the special browser comprises an operating environment detection module, a hardware information acquisition module, a web engine and display module, an uploaded information packaging module and a cache data encryption module;
the running environment detection module is used for detecting a running environment before the special browser runs, checking whether a user hardware certificate usbkey is matched with the current hardware environment or not, and if not, forbidding access to the web application; checking whether the software environment currently operated by the special browser is safe, if so, verifying whether the user certificate is legal, and checking whether the computer hardware bound by the user is legal;
the hardware information acquisition module is used for acquiring hardware information of the computer;
the web engine and display module is used for realizing https mutual authentication and information request of web application with sensitive data, presenting a result to a user, calling an upload information packaging module by using an extension technology of the web engine, and reporting computer hardware information to the https proxy gateway;
the uploading information packaging module is used for packaging the hardware information acquired by the hardware information acquisition module;
the cache data encryption module is used for encrypting the local cache data of the browser so as to safely protect the local cache data of the special browser.
Further, the hardware information of the computer comprises a network card MAC address and an IP address.
Furthermore, the https proxy gateway comprises an https proxy authentication module, a terminal reported information recording module, an abnormal access monitoring module, a log module and a proxy service module;
the https agent authentication module is used for authenticating the validity of the connection request of the special browser;
the terminal report information recording module is used for recording and verifying the computer hardware information reported by the special browser;
the abnormal access monitoring module is used for monitoring the access condition of the special browser, and once the abnormal information of the computer hardware is detected, the network connection is disconnected;
the log module is used for recording normal and abnormal access records of the special browser for inspection;
the proxy service module is used as a web application proxy and responds to various requests of the web application.
Further, the CA center comprises a certificate application module, a certificate issuing module, a certificate management module and a log recording module;
the certificate application module is used for applying for a certificate and collecting user information applying for the certificate of the user and computer hardware information to be bound;
the certificate issuing module is used for issuing a user hardware certificate usbkey;
the certificate management module is used for managing the life cycle of the certificate and maintaining a certificate revocation list;
and the log recording module is used for recording the operations of the certificate application module, the certificate issuing module and the certificate management module and auditing.
According to a second aspect of the present invention, there is provided a secure access method for a web application with sensitive data, based on the secure access system for a web application as described above, the method includes the following steps:
step S601: starting a special browser, after checking the matching between computer hardware bound by running environment and user hardware certificate usbkey and current running hardware, accessing a specified URL through https bidirectional connection, uploading computer hardware information in real time, and encrypting cache data of the special browser; marking the browser state;
step S602: if the browser is quitted, the method is ended; otherwise, go to step S603;
step S603: and starting an https proxy gateway, recording computer hardware information uploaded by the special browser after a https bidirectional authentication connection request is passed, accessing web applications with sensitive data by proxy, monitoring the web application access conditions of the special browser, and disconnecting the connection when abnormality occurs.
According to a third aspect of the present invention, there is provided a method for using a dedicated browser of a secure access system based on a web application having sensitive data, the method further comprising:
step S701: starting up a special browser;
step S702: checking whether the running environment is safe, and if so, entering step S703; otherwise, go to step S707;
step S703: checking whether the computer hardware bound by the user hardware certificate usbkey is matched with the currently running computer hardware, and if so, entering the step S704; otherwise, go to step S707;
step S704: accessing the specified URL through https bidirectional connection;
step S705: uploading computer hardware information in real time, and encrypting cache data of the special browser;
step S706: whether to exit the special browser, if yes, go to step S707; otherwise, go to step S704;
step S707: cleaning the environment and quitting the special browser.
According to a fourth aspect of the present invention, there is provided a https proxy gateway using method for a secure access system based on a web application with sensitive data, the method further comprising:
step S801: starting the https proxy gateway;
step S802: checking whether the https bidirectional authentication connection request verification passes; if yes, go to step S803; otherwise, go to step S807;
step S803: recording computer hardware information uploaded by a special browser;
step S804: the proxy accesses a web application having sensitive data;
step S805: monitoring the access condition of a sensitive data web application of a special browser;
step S806: judging whether the access of the special browser is abnormal or not, if so, entering the step S807; if not, go to step S803;
step S807: recording abnormal log and disconnecting
According to a fifth aspect of the present invention, there is provided a secure access system for a web application having sensitive data, comprising:
a processor for executing a plurality of instructions;
a memory to store a plurality of instructions;
wherein the plurality of instructions are for being stored by the memory and loaded and executed by the processor a secure access method for a web application having sensitive data as previously described.
According to a sixth aspect of the present invention, there is provided a computer readable storage medium having a plurality of instructions stored therein; the plurality of instructions for loading and executing by a processor a secure access method for a web application having sensitive data as previously described.
According to the scheme of the invention, the browser side is used for checking the running environment, the hardware accessing the web application and the user, and carrying out safety protection on the terminal information; the https proxy gateway ensures access legitimacy and security and abnormal protection in emergency. And the whole-process data safety protection is realized.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood and to implement them in accordance with the contents of the description, the following detailed description is given with reference to the preferred embodiments of the present invention and the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention. In the drawings:
FIG. 1 is a flow chart of a prior art VPN-based web application access method;
FIG. 2 is an overall architecture diagram of a secure access system for web applications with sensitive data according to one embodiment of the present invention;
FIG. 3 is a block diagram of the components of a specialized browser according to one embodiment of the present invention;
fig. 4 is a block diagram of the https proxy gateway according to an embodiment of the present invention;
FIG. 5 is a block diagram of the components of a CA center in accordance with one embodiment of the present invention;
FIG. 6 is a flow chart of a method for secure access of a web application having sensitive data in accordance with the present invention;
FIG. 7 is a flow chart of the method of the present invention for using a dedicated browser in a secure access system based on a web application having sensitive data;
FIG. 8 is a flow chart of the https proxy gateway usage method of the secure access system based on web applications with sensitive data of the present invention;
FIG. 9 is a flow chart of a method for securing access to a web application having sensitive data within an enterprise in accordance with the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the specific embodiments of the present invention and the accompanying drawings. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Defining:
VPN: namely Virtual Private Network.
WEB: the World Wide Web (World Wide Web) is a distributed graphical information system which is based on hypertext and HTTP, global, dynamic interactive and cross-platform, is a network service established on the Internet, provides a graphical and easily-accessed visual interface for a browser to search and browse information on the Internet, and documents and hyperlinks organize information nodes on the Internet into a mutually-associated mesh structure.
Web application: the application program can be accessed through the Web, and the advantage is that the user can easily access the application program, and the user only needs to have a browser to access the application program without installing other software.
The general architecture of the secure access system of the present invention for implementing a web application with sensitive data is first described in conjunction with fig. 2, fig. 2 showing a general architecture diagram of the secure access system of a web application with sensitive data according to one embodiment of the present invention. As shown in fig. 2:
the secure access system of the web application with the sensitive data comprises a user side unit, an https proxy gateway and a CA center.
The user side unit comprises a special browser and a user hardware certificate usbkey (also called user certificate hereinafter), wherein the special browser is used for detecting a software running environment, the user certificate and verifying the legality of computer hardware bound by a user, accessing web application with sensitive data, uploading computer hardware information and local cache data of the special browser for safety protection; detecting an operating environment before the special browser operates, checking whether a user hardware certificate usbkey is matched with the current hardware environment, and if not, forbidding access to the web application; the special browser uploads computer hardware information to the https proxy gateway; the special browser encrypts the local cache data of the browser to safely protect the local cache data of the special browser;
the https proxy gateway is used for verifying a connection request of the special browser, web application proxy, recording hardware information of the user side unit, monitoring computer hardware information uploaded by a user side, monitoring abnormal access and recording logs; the https proxy gateway and the special browser adopt https bidirectional authentication technology to ensure link security; the https proxy gateway disconnects network connection when monitoring that computer hardware information uploaded by a user side is abnormal;
and the CA center is used for being responsible for application and issuance of the user certificate and process management of the user certificate.
In particular, the amount of the solvent to be used,
the user side unit comprises a special browser and a user hardware certificate usbkey, wherein the special browser is used for detecting a software running environment, the user certificate and verifying the legality of computer hardware bound by a user, accessing a web application with sensitive data, uploading computer hardware information and local cache data of the special browser for safety protection; detecting an operating environment before the special browser operates, checking whether a user hardware certificate usbkey is matched with the current hardware environment, and if not, forbidding access to the web application; the special browser uploads computer hardware information to the https proxy gateway; the special browser encrypts the local cache data of the browser to safely protect the local cache data of the special browser;
the computer hardware information comprises a network card MAC address and an IP address.
The special browser encrypts the local cache data of the browser, so that the local cache data of the special browser can be protected safely, and the landing safety of the cache data is ensured.
FIG. 3 illustrates a block diagram of the components of a specialized browser, according to one embodiment of the present invention. As shown in fig. 3:
the special browser comprises an operating environment detection module, a hardware information acquisition module, a web engine and display module, an uploaded information packaging module and a cache data encryption module;
the running environment detection module is used for detecting a running environment before the special browser runs, checking whether a user hardware certificate usbkey is matched with the current hardware environment or not, and if not, forbidding access to the web application; checking whether the software environment currently operated by the special browser is safe, if so, verifying whether the user certificate is legal, and checking whether the computer hardware bound by the user is legal;
the hardware information acquisition module is used for acquiring hardware information of the computer;
the hardware information of the computer includes, but is not limited to, a network card MAC address and an IP address.
The web engine and display module is used for realizing https mutual authentication and information request of web application with sensitive data, presenting a result to a user, calling an upload information packaging module by using an extension technology of the web engine, and reporting computer hardware information to the https proxy gateway;
the uploading information packaging module is used for packaging the hardware information acquired by the hardware information acquisition module;
the cache data encryption module is used for encrypting the local cache data of the browser so as to safely protect the local cache data of the special browser.
The https proxy gateway is used for verifying a connection request of the special browser, web application proxy, recording hardware information of the user side unit, monitoring computer hardware information uploaded by a user side, monitoring abnormal access and recording logs; the https proxy gateway and the special browser adopt https bidirectional authentication technology to ensure link security; the https proxy gateway disconnects network connection when monitoring that computer hardware information uploaded by a user side is abnormal;
specifically, the https proxy gateway allows a legitimate user to access the web application by verifying the connection request of the dedicated browser, monitors computer hardware information uploaded by the user side, and can disconnect the connection when an abnormality is found.
Fig. 4 shows a block diagram of the https proxy gateway according to an embodiment of the present invention. As shown in fig. 4:
the https proxy gateway comprises an https proxy authentication module, a terminal reported information recording module, an abnormal access monitoring module, a log module and a proxy service module;
the https agent authentication module is used for authenticating the validity of the connection request of the special browser;
the terminal report information recording module is used for recording and verifying the computer hardware information reported by the special browser;
the abnormal access monitoring module is used for monitoring the access condition of the special browser, and once the abnormal information of the computer hardware is detected, the network connection is disconnected;
the log module is used for recording normal and abnormal access records of the special browser for inspection;
the proxy service module is used as a web application proxy and responds to various requests of the web application.
And the CA center is used for being responsible for application and issuance of the user certificate and process management of the user certificate.
In particular, fig. 5 shows a block diagram of the components of a CA center according to an embodiment of the invention. As shown in fig. 5:
the CA center comprises a certificate application module, a certificate issuing module, a certificate management module and a log recording module;
the certificate application module is used for applying for a certificate and collecting user information applying for the certificate of the user and computer hardware information to be bound;
the certificate issuing module is used for issuing a user hardware certificate usbkey;
the certificate management module is used for managing the life cycle of the certificate and maintaining a certificate revocation list;
and the log recording module is used for recording the operations of the certificate application module, the certificate issuing module and the certificate management module and auditing.
The method for secure access of a web application with sensitive data according to the present invention is described below with reference to fig. 6, and fig. 6 shows a flowchart of the method for secure access of a web application with sensitive data according to the present invention. The method is based on a secure access system for web applications with sensitive data as described above. As shown in fig. 6:
step S601: starting a special browser, after checking the matching between computer hardware bound by running environment and user hardware certificate usbkey and current running hardware, accessing a specified URL through https bidirectional connection, uploading computer hardware information in real time, and encrypting cache data of the special browser; marking the browser state;
step S602: if the browser is quitted, the method is ended; otherwise, go to step S603;
step S603: and starting an https proxy gateway, recording computer hardware information uploaded by the special browser after a https bidirectional authentication connection request is passed, accessing web applications with sensitive data by proxy, monitoring the web application access conditions of the special browser, and disconnecting the connection when abnormality occurs.
The method for using a dedicated browser of the present invention based on the security access system of the web application with sensitive data, which is the security access system of the web application with sensitive data as described above, is described below with reference to fig. 7. As shown in fig. 7, the method includes:
step S701: starting up a special browser;
step S702: checking whether the running environment is safe, and if so, entering step S703; otherwise, go to step S707;
step S703: checking whether the computer hardware bound by the user hardware certificate usbkey is matched with the currently running computer hardware, and if so, entering the step S704; otherwise, go to step S707;
step S704: accessing the specified URL through https bidirectional connection;
step S705: uploading computer hardware information in real time, and encrypting cache data of the special browser;
step S706: whether to exit the special browser, if yes, go to step S707; otherwise, go to step S704;
step S707: cleaning the environment and quitting the special browser.
The https proxy gateway using method of the present invention based on the secure access system of the web application with sensitive data, which is the secure access system of the web application with sensitive data as described above, is described in conjunction with fig. 8. As shown in fig. 8, the method includes:
step S801: starting the https proxy gateway;
step S802: checking whether the https bidirectional authentication connection request verification passes; if yes, go to step S803; otherwise, go to step S807;
step S803: recording computer hardware information uploaded by a special browser;
step S804: the proxy accesses a web application having sensitive data;
step S805: monitoring the access condition of a sensitive data web application of a special browser;
step S806: judging whether the access of the special browser is abnormal or not, if so, entering the step S807; if not, go to step S803;
step S807: and recording an abnormal log and disconnecting the connection.
The following embodiments describe a method for secure access to web applications with sensitive data within an enterprise in conjunction with fig. 9.
A secure access system employing a web application with sensitive data as described above.
The method comprises the following steps:
step S901: establishing an own CA center and deploying an https proxy gateway;
step S902: providing a computer MAC address and user information to apply for a hardware certificate;
step S903: installing a special browser at a computer terminal;
step S904: accessing the OA system using a dedicated browser;
step S905: verifying a user hardware certificate; if yes, go to step S906; otherwise, the method ends;
step S906: the OA system is normally accessed.
The embodiment of the invention further provides a system for safely accessing the web application with the sensitive data, which comprises the following steps:
a processor for executing a plurality of instructions;
a memory to store a plurality of instructions;
wherein the plurality of instructions are for being stored by the memory and loaded and executed by the processor a secure access method for a web application having sensitive data as previously described.
The embodiment of the invention further provides a computer readable storage medium, wherein a plurality of instructions are stored in the storage medium; the plurality of instructions for loading and executing by a processor a secure access method for a web application having sensitive data as previously described.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a physical machine Server, or a network cloud Server, etc., and needs to install a Windows or Windows Server operating system) to perform some steps of the method according to various embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any simple modification, equivalent change and modification made to the above embodiment according to the technical spirit of the present invention are still within the scope of the technical solution of the present invention.
Claims (10)
1. The system for the secure access of the web application with the sensitive data is characterized by comprising a user side unit, an https proxy gateway and a CA center;
the user side unit comprises a special browser and a user hardware certificate usbkey, also called a user certificate; the special browser is used for detecting a software running environment, a user certificate and verifying the legality of computer hardware bound by a user, accessing web application with sensitive data, uploading computer hardware information and local cache data of the special browser for safety protection; detecting an operating environment before the special browser operates, checking whether a user hardware certificate usbkey is matched with the current hardware environment, and if not, forbidding access to the web application; the special browser uploads computer hardware information to the https proxy gateway; the special browser encrypts the local cache data of the browser to safely protect the local cache data of the special browser;
the https proxy gateway is used for verifying a connection request of the special browser, web application proxy, recording hardware information of the user side unit, monitoring computer hardware information uploaded by a user side, monitoring abnormal access and recording logs; the https proxy gateway and the special browser adopt https bidirectional authentication technology to ensure link security; the https proxy gateway disconnects network connection when monitoring that computer hardware information uploaded by a user side is abnormal;
and the CA center is used for being responsible for application and issuance of the user certificate and process management of the user certificate.
2. The system of claim 1, wherein the dedicated browser comprises a runtime environment detection module, a hardware information collection module, a web engine and display module, an upload information encapsulation module, and a cache data encryption module;
the running environment detection module is used for detecting a running environment before the special browser runs, checking whether a user hardware certificate usbkey is matched with the current hardware environment or not, and if not, forbidding access to the web application; checking whether the software environment currently operated by the special browser is safe, if so, verifying whether the user certificate is legal, and checking whether the computer hardware bound by the user is legal;
the hardware information acquisition module is used for acquiring hardware information of the computer;
the web engine and display module is used for realizing https mutual authentication and information request of web application with sensitive data, presenting a result to a user, calling an upload information packaging module by using an extension technology of the web engine, and reporting computer hardware information to the https proxy gateway;
the uploading information packaging module is used for packaging the hardware information acquired by the hardware information acquisition module;
the cache data encryption module is used for encrypting the local cache data of the browser so as to safely protect the local cache data of the special browser.
3. The system for secure access of a web application having sensitive data according to claim 1, wherein the hardware information of the computer includes a network card MAC address and an IP address.
4. The system of claim 1, wherein the https proxy gateway comprises an https proxy authentication module, a terminal reported information recording module, an abnormal access monitoring module, a log module, and a proxy service module;
the https agent authentication module is used for authenticating the validity of the connection request of the special browser;
the terminal report information recording module is used for recording and verifying the computer hardware information reported by the special browser;
the abnormal access monitoring module is used for monitoring the access condition of the special browser, and once the abnormal information of the computer hardware is detected, the network connection is disconnected;
the log module is used for recording normal and abnormal access records of the special browser for inspection;
the proxy service module is used as a web application proxy and responds to various requests of the web application.
5. The system for secure access of a web application having sensitive data according to claim 1, wherein the CA center comprises a certificate application module, a certificate issuance module, a certificate management module, a logging module;
the certificate application module is used for applying for a certificate and collecting user information applying for the certificate of the user and computer hardware information to be bound;
the certificate issuing module is used for issuing a user hardware certificate usbkey;
the certificate management module is used for managing the life cycle of the certificate and maintaining a certificate revocation list;
and the log recording module is used for recording the operations of the certificate application module, the certificate issuing module and the certificate management module and auditing.
6. A method for secure access to a web application with sensitive data, based on a system for secure access to a web application with sensitive data according to any one of claims 1 to 5, characterized in that: the method performs the steps of:
step S601: starting a special browser, after checking the matching between computer hardware bound by running environment and user hardware certificate usbkey and current running hardware, accessing a specified URL through https bidirectional connection, uploading computer hardware information in real time, and encrypting cache data of the special browser; marking the browser state;
step S602: if the browser is quitted, the method is ended; otherwise, go to step S603;
step S603: and starting an https proxy gateway, recording computer hardware information uploaded by the special browser after a https bidirectional authentication connection request is passed, accessing web applications with sensitive data by proxy, monitoring the web application access conditions of the special browser, and disconnecting the connection when abnormality occurs.
7. A method for using a dedicated browser based on a secure access system for web applications with sensitive data according to any of claims 1-5, characterized in that said method further comprises:
step S701: starting up a special browser;
step S702: checking whether the running environment is safe, and if so, entering step S703; otherwise, go to step S707;
step S703: checking whether the computer hardware bound by the user hardware certificate usbkey is matched with the currently running computer hardware, and if so, entering the step S704; otherwise, go to step S707;
step S704: accessing the specified URL through https bidirectional connection;
step S705: uploading computer hardware information in real time, and encrypting cache data of the special browser;
step S706: whether to exit the special browser, if yes, go to step S707; otherwise, go to step S704;
step S707: cleaning the environment and quitting the special browser.
8. A https proxy gateway usage method based on a secure access system of web applications with sensitive data according to any of claims 1-5, characterized in that the method further comprises:
step S801: starting the https proxy gateway;
step S802: checking whether the https bidirectional authentication connection request verification passes; if yes, go to step S803; otherwise, go to step S807;
step S803: recording computer hardware information uploaded by a special browser;
step S804: the proxy accesses a web application having sensitive data;
step S805: monitoring the access condition of a sensitive data web application of a special browser;
step S806: judging whether the access of the special browser is abnormal or not, if so, entering the step S807; if not, go to step S803;
step S807: and recording an abnormal log and disconnecting the connection.
9. A system for secure access to a web application having sensitive data, comprising:
a processor for executing a plurality of instructions;
a memory to store a plurality of instructions;
wherein the plurality of instructions are to be stored by the memory and loaded and executed by the processor to perform the secure access method of the web application having sensitive data of claim 6.
10. A computer-readable storage medium having stored therein a plurality of instructions; the plurality of instructions for loading and executing by a processor the method for secure access of a web application having sensitive data of claim 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911263373.7A CN111083132B (en) | 2019-12-11 | 2019-12-11 | Safe access method and system for web application with sensitive data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911263373.7A CN111083132B (en) | 2019-12-11 | 2019-12-11 | Safe access method and system for web application with sensitive data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111083132A true CN111083132A (en) | 2020-04-28 |
| CN111083132B CN111083132B (en) | 2022-02-18 |
Family
ID=70313730
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911263373.7A Active CN111083132B (en) | 2019-12-11 | 2019-12-11 | Safe access method and system for web application with sensitive data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111083132B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111756732A (en) * | 2020-06-23 | 2020-10-09 | 北京明朝万达科技股份有限公司 | Data scanning and control method and device, electronic equipment and readable storage medium |
| CN112417328A (en) * | 2020-12-03 | 2021-02-26 | 杭州海量存储技术有限公司 | Webpage monitoring method and device |
| CN113794735A (en) * | 2021-09-29 | 2021-12-14 | 北京雅丁信息技术有限公司 | Sensitive data security protection method under SAAS system scene |
| CN114157503A (en) * | 2021-12-08 | 2022-03-08 | 北京天融信网络安全技术有限公司 | Authentication method and device for access request, API gateway device, and storage medium |
| CN114301607A (en) * | 2021-12-30 | 2022-04-08 | 山石网科通信技术股份有限公司 | Method and device for clearing browser certificate, storage medium and processor |
| CN114666132A (en) * | 2022-03-22 | 2022-06-24 | 深圳供电局有限公司 | Method for encrypting and authenticating application layer based on TCP/IP protocol |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7818574B2 (en) * | 2004-09-10 | 2010-10-19 | International Business Machines Corporation | System and method for providing dynamically authorized access to functionality present on an integrated circuit chip |
| CN101867588A (en) * | 2010-07-16 | 2010-10-20 | 福州大学 | An Access Control System Based on 802.1x |
| CN102065088A (en) * | 2010-12-16 | 2011-05-18 | 中国建设银行股份有限公司 | Methods for automatically loading internet bank security assembly and authenticating internet bank security |
| US20170195124A1 (en) * | 2015-12-30 | 2017-07-06 | T-Mobile Usa, Inc. | Persona and device based certificate management |
| CN107241345A (en) * | 2017-06-30 | 2017-10-10 | 西安电子科技大学 | Cloud computing resources management method based on UKey |
| CN108243166A (en) * | 2016-12-27 | 2018-07-03 | 航天信息股份有限公司 | A kind of identity identifying method and system based on USBKey |
| CN109660530A (en) * | 2018-12-08 | 2019-04-19 | 公安部第三研究所 | A kind of protecting information safety method based on hardware certificate |
| CN109802846A (en) * | 2017-11-17 | 2019-05-24 | 航天信息股份有限公司 | USB Key certificate environment detection method and device |
| CN110543768A (en) * | 2019-08-23 | 2019-12-06 | 苏州浪潮智能科技有限公司 | A method and system for controlling root of trust in BIOS |
-
2019
- 2019-12-11 CN CN201911263373.7A patent/CN111083132B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7818574B2 (en) * | 2004-09-10 | 2010-10-19 | International Business Machines Corporation | System and method for providing dynamically authorized access to functionality present on an integrated circuit chip |
| CN101867588A (en) * | 2010-07-16 | 2010-10-20 | 福州大学 | An Access Control System Based on 802.1x |
| CN102065088A (en) * | 2010-12-16 | 2011-05-18 | 中国建设银行股份有限公司 | Methods for automatically loading internet bank security assembly and authenticating internet bank security |
| US20170195124A1 (en) * | 2015-12-30 | 2017-07-06 | T-Mobile Usa, Inc. | Persona and device based certificate management |
| CN108243166A (en) * | 2016-12-27 | 2018-07-03 | 航天信息股份有限公司 | A kind of identity identifying method and system based on USBKey |
| CN107241345A (en) * | 2017-06-30 | 2017-10-10 | 西安电子科技大学 | Cloud computing resources management method based on UKey |
| CN109802846A (en) * | 2017-11-17 | 2019-05-24 | 航天信息股份有限公司 | USB Key certificate environment detection method and device |
| CN109660530A (en) * | 2018-12-08 | 2019-04-19 | 公安部第三研究所 | A kind of protecting information safety method based on hardware certificate |
| CN110543768A (en) * | 2019-08-23 | 2019-12-06 | 苏州浪潮智能科技有限公司 | A method and system for controlling root of trust in BIOS |
Non-Patent Citations (2)
| Title |
|---|
| 张月华: ""WSS在基于浏览器和USBKey的数字证书签发系统中的研究与应用"", 《万方》 * |
| 王权: ""基于USBKEY的访问控制方法研究"", 《万方》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111756732A (en) * | 2020-06-23 | 2020-10-09 | 北京明朝万达科技股份有限公司 | Data scanning and control method and device, electronic equipment and readable storage medium |
| CN112417328A (en) * | 2020-12-03 | 2021-02-26 | 杭州海量存储技术有限公司 | Webpage monitoring method and device |
| CN112417328B (en) * | 2020-12-03 | 2024-05-31 | 杭州海量存储技术有限公司 | Webpage monitoring method and device |
| CN113794735A (en) * | 2021-09-29 | 2021-12-14 | 北京雅丁信息技术有限公司 | Sensitive data security protection method under SAAS system scene |
| CN114157503A (en) * | 2021-12-08 | 2022-03-08 | 北京天融信网络安全技术有限公司 | Authentication method and device for access request, API gateway device, and storage medium |
| CN114301607A (en) * | 2021-12-30 | 2022-04-08 | 山石网科通信技术股份有限公司 | Method and device for clearing browser certificate, storage medium and processor |
| CN114301607B (en) * | 2021-12-30 | 2024-02-06 | 山石网科通信技术股份有限公司 | Certificate clearing method and device for browser, storage medium and processor |
| CN114666132A (en) * | 2022-03-22 | 2022-06-24 | 深圳供电局有限公司 | Method for encrypting and authenticating application layer based on TCP/IP protocol |
| CN114666132B (en) * | 2022-03-22 | 2024-01-30 | 深圳供电局有限公司 | Method for application layer encryption and authentication based on TCP/IP protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111083132B (en) | 2022-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111083132B (en) | Safe access method and system for web application with sensitive data | |
| CN101771532B (en) | Method, device and system for realizing resource sharing | |
| CN110268406B (en) | Password security | |
| CN102158493B (en) | A kind of Cookie analytic method, device and a kind of client | |
| CN102739774B (en) | Method and system for obtaining evidence under cloud computing environment | |
| CN102065147A (en) | Method and device for obtaining user login information based on enterprise application system | |
| US11184389B2 (en) | Security mechanisms for preventing retry or replay attacks | |
| CN113542201A (en) | Access control method and device for Internet service | |
| KR20150026587A (en) | Apparatus, method and computer readable recording medium for providing notification of log-in from new equipments | |
| CN109726041B (en) | Method, apparatus and computer readable medium for restoring files in a virtual machine disk | |
| CN105162763B (en) | Communication data processing method and device | |
| CN109828924A (en) | Test method, device and calculating equipment and medium | |
| CN114491661A (en) | Blockchain-based log tamper-proof method and system | |
| CN107733853A (en) | Page access method, apparatus, computer and medium | |
| CN110049028A (en) | Monitor method, apparatus, computer equipment and the storage medium of domain control administrator | |
| CN110263008A (en) | Terminal offline logs management system, method, equipment and storage medium | |
| CN109040080B (en) | File tampering processing method and device, cloud service platform and storage medium | |
| CN113709136A (en) | Access request verification method and device | |
| CN118395412A (en) | Non-inductive man-machine identification safety protection method, device, equipment and medium | |
| CN102546636B (en) | Protected resource monitoring method and device | |
| CN108134781B (en) | Important information data secrecy monitoring system | |
| CN105933356A (en) | Method and device for detecting DNS (Domain Name System) hijacking of client | |
| CN108173823A (en) | The anti-grasping means of the page and device | |
| CN115174571A (en) | Block chain-based method and device for recording screen and obtaining evidence | |
| TW201835794A (en) | Method and device for recording website access log |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |