[go: up one dir, main page]

CN112565293A - Information security management method and device, computer equipment and readable storage medium - Google Patents

Information security management method and device, computer equipment and readable storage medium Download PDF

Info

Publication number
CN112565293A
CN112565293A CN202011537973.0A CN202011537973A CN112565293A CN 112565293 A CN112565293 A CN 112565293A CN 202011537973 A CN202011537973 A CN 202011537973A CN 112565293 A CN112565293 A CN 112565293A
Authority
CN
China
Prior art keywords
information
token
request
authorization code
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011537973.0A
Other languages
Chinese (zh)
Inventor
吴霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Pension Insurance Corp
Original Assignee
Ping An Pension Insurance Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Pension Insurance Corp filed Critical Ping An Pension Insurance Corp
Priority to CN202011537973.0A priority Critical patent/CN112565293A/en
Publication of CN112565293A publication Critical patent/CN112565293A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of information security, and discloses an information security management method, an information security management device, computer equipment and a readable storage medium, wherein the information security management method comprises the following steps: recording user information, generating a jump link according to the access information, and generating an authorization code according to the authorization information; sending the authorization code and the jump link to the user side; receiving a token request sent by a client according to an authorization code and a jump link; generating token information according to the token request, receiving an information request sent by the client according to the token information, and judging whether the token information in the information request is consistent with the token information generated according to the token request; if the token information is consistent with the token information, judging that the information request is a legal request and destroying the token information; and inquiring the user information according to the legal request, and sending the user information to the client. The invention also relates to a blockchain technique, where information can be stored in blockchain nodes. The invention avoids the condition that the safety of the user information is greatly damaged because the user information is obtained by an illegal client.

Description

Information security management method and device, computer equipment and readable storage medium
Technical Field
The present invention relates to the field of information security protection technologies, and in particular, to an information security management method and apparatus, a computer device, and a readable storage medium.
Background
Currently, when a user side purchases or reserves a product of the client side, the user side generally directly accesses a page in the client side and inputs corresponding user information into the client side to purchase or reserve the product.
However, the inventor has realized that in the process of information interaction between the user side and the client side, the user information of the interaction is easily obtained by the illegal client side by replacing the legal client side, which brings great risk to the security of the user information.
Disclosure of Invention
The invention aims to provide an information security management method, an information security management device, computer equipment and a readable storage medium, which are used for solving the problem that user information interacted between a user side and a client side in the prior art is easily obtained by an illegal client side in a mode of replacing a legal client side. The method and the system can be applied to smart medical scenes, and therefore construction of smart cities is promoted.
In order to achieve the above object, the present invention provides an information security management method, including:
receiving access information, user information and authorization information sent by a user side, recording the user information, generating a skip link according to the access information, and generating an authorization code according to the authorization information; sending the authorization code and the jump link to the user side; the authorization code and the jump link are used for enabling the user side to access the client side;
receiving a token request sent by the client according to the authorization code and the skip link;
generating token information according to the token request, and sending the token information to the client;
receiving an information request sent by a client according to the token information, and judging whether the token information in the information request is consistent with the token information generated according to the token request; if the token information is consistent with the information request, judging that the information request is a legal request and destroying the token information;
and inquiring user information according to the legal request, and sending the user information to the client.
In the above scheme, before receiving the access information, the user information, and the authorization information sent by the user side, the method further includes:
receiving login information sent by a user side, carrying out identity verification on the login information and judging whether the login information is authorized to be logged in; if the user has the right to log in, the user sends login success information to the user side, and the user side generates access information and user information according to the login success information; if not, sending login failure information to the user side and ending.
In the above solution, the step of generating the jump link according to the access information includes:
intercepting the access information and generating an access ID;
splicing the access ID and the channel information to obtain a link character string;
encrypting the link character string to obtain a jump link;
after the jump link is obtained by encrypting the link string, the method further includes:
and uploading the jump link to a block chain.
In the foregoing solution, before generating the token information according to the token request, the method further includes:
extracting an authorization code in the token request and verifying whether the authorization code is valid;
and if the authorization code is invalid, sending access refusing information to the client and ending.
In the foregoing solution, the step of verifying whether the authorization code is valid includes:
setting the authorization code generated according to the authorization information as a first authorization code, and setting the authorization code in the token request as a second authorization code;
comparing whether the first authorization code and the second authorization code are consistent;
if the first authorization code is consistent with a second authorization code, judging whether the first authorization code has a use tag, wherein the use tag is an identifier used for reflecting that the first authorization code is used;
if the first authorization code does not have the use tag, judging that the second authorization code is valid, and inserting the use tag into the first authorization code to identify that the first authorization code is used;
if the use label exists, the second authorization code is judged to be invalid;
and if the first authorization code is inconsistent with a second authorization code, determining that the second authorization code is invalid.
In the foregoing solution, before querying user information according to the legal request, the method further includes:
extracting token information in the legal request and verifying whether the token information is valid;
and if the token information is invalid, updating the token information to form reset token information, and sending the reset token information to the client so that the client generates an information request according to the reset token information.
In the foregoing solution, the step of verifying whether the token information is valid includes:
calculating the time difference between the time for extracting the token information in the legal request and the generation time of the token information;
extracting the expiration time in the token information;
judging whether the time difference is larger than the expiration time or not;
if yes, determining that the token information is invalid;
if not, the token information is judged to be valid.
In order to achieve the above object, the present invention further provides an information security management apparatus, including:
the authorization link module is used for receiving access information, user information and authorization information sent by a user side, recording the user information, generating a skip link according to the access information, and generating an authorization code according to the authorization information; sending the authorization code and the jump link to the user side; the authorization code and the jump link are used for enabling the user side to access the client side;
the request input module is used for receiving a token request sent by the client according to the authorization code and the skip link;
the token generation module is used for generating token information according to the token request and sending the token information to the client;
the request judging module is used for receiving an information request sent by a client according to the token information, judging whether the token information in the information request is consistent with the token information generated according to the token request or not; if the token information is consistent with the information request, judging that the information request is a legal request and destroying the token information;
and the information output module is used for inquiring user information according to the legal request and sending the user information to the client.
In order to achieve the above object, the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor of the computer device implements the steps of the information security management method when executing the computer program.
In order to achieve the above object, the present invention further provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program implements the steps of the information security management method.
The information security management method, the device, the computer equipment and the readable storage medium provided by the invention make a jump link through the access information so that a user side can access a page in a client side conveniently, meanwhile, the authorization information acquires the authorization of a user and generates an authorization code, so that the client side can acquire the user information to be loaded according to the authorization code, the page can be accessed without complicated authorization operation of the user side, the smoothness of the user side for accessing the page in the client side is ensured, the client side which has the right to acquire the user information can accurately and comprehensively acquire the corresponding user information and load the page through the authorization code, and the condition that the user information is acquired by an illegal or untrusty client side and the security of the user information is greatly damaged because the client side directly acquires the user information from the user side is avoided, the safety of the user information is ensured.
By comparing the token information in the information request with the token information generated according to the token request, the situation that an illegal client forges the token information in a cross-site request forging mode to obtain the user information is avoided, the client obtaining the user information is further ensured to be an authorized client, and the safety of the user information is improved.
Drawings
FIG. 1 is a flowchart of a first embodiment of a method for information security management according to the present invention;
fig. 2 is a schematic view of an environmental application of the information security management method in a second embodiment of the information security management method according to the present invention;
fig. 3 is a flowchart of a specific method of an information security management method according to a second embodiment of the information security management method of the present invention;
FIG. 4 is a schematic diagram of program modules of a third embodiment of an information security management apparatus according to the present invention;
fig. 5 is a schematic diagram of a hardware structure of a computer device according to a fourth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides an information security management method, an information security management device, computer equipment and a readable storage medium, which are suitable for the technical field of security protection of information security and provide the information security management method based on an authorization link module, a request input module, a token generation module, a request judgment module and an information output module. The user information is recorded, the skip link is generated according to the access information, and the authorization code is generated according to the authorization information; sending the authorization code and the jump link to the user side; generating token information according to the token request, and sending the token information to the client; receiving an information request sent by a client according to the token information, and judging whether the token information in the information request is consistent with the token information generated according to the token request; if the token information is consistent with the information request, judging that the information request is a legal request and destroying the token information; and inquiring user information according to the legal request, and sending the user information to the client.
The first embodiment is as follows:
referring to fig. 1, an information security management method of the present embodiment includes:
s101: receiving access information, user information and authorization information sent by a user side, recording the user information, generating a skip link according to the access information, and generating an authorization code according to the authorization information; sending the authorization code and the jump link to the user side; the authorization code and the jump link are used for enabling the user side to access the client side.
S102: and receiving a token request sent by the client according to the authorization code and the jump link.
S104: and generating token information according to the token request, and sending the token information to the client.
S106: receiving an information request sent by a client according to the token information, and judging whether the token information in the information request is consistent with the token information generated according to the token request; and if the token information is consistent with the information, judging that the information request is a legal request and destroying the token information.
S108: and inquiring user information according to the legal request, and sending the user information to the client.
In this embodiment, the skip link is made through the access information so that the user side can access the page in the client side, meanwhile, the authorization of the user is obtained through the authorization information and the authorization code is generated, so that the client side can obtain the user information which needs to be loaded according to the authorization code, the page can be accessed without the user side performing a complicated authorization operation, the smoothness of the page in the client side accessed by the user side is ensured, the client side which has the right to obtain the user information can accurately and comprehensively obtain the corresponding user information and load the page of the corresponding user information through the authorization code, the situation that the client side directly obtains the user information from the user side, the user information is obtained by an illegal client side or a client side without trust degree is avoided, the safety of the user information is greatly damaged, and the safety of the user information is ensured.
Comparing the token information (namely, the value of the access _ token) in the information request with the token information (namely, the value of the access _ token) generated according to the token request, and if the token information and the token information are consistent, judging that the information request is a legal request; if the request is not consistent with the user information, the information request is judged to be an illegal request, the condition that an illegal client side forges the token information in a cross-site request forging (such as anti csrf attack) mode to obtain the user information is avoided, the client side for obtaining the user information is further ensured to be an authorized client side, and the safety of the user information is improved. The token information is destroyed to ensure that the client can only obtain the user information once, so that the situation that the server operating with the information safety management method is overloaded due to repeated information request sending by the client is avoided.
It should be noted that the client acquires a page corresponding to the page information in the access information according to the jump link, and extracts information required in the page to make an information request. For example: if the page information is product purchase information, the corresponding page is a product purchase page, based on the above example, the user information required by the product purchase page is the user unique identifier, and an information request is formed by combining the token information and the user unique identifier.
The method and the system can be applied to smart medical scenes, and therefore construction of smart cities is promoted.
Example two:
the embodiment is a specific application scenario of the first embodiment, and the method provided by the present invention can be more clearly and specifically explained through the embodiment.
The method provided in this embodiment will be specifically described below by taking an example in which a jump link and an authorization code are generated in a server running an information security management method, token information is generated for a token request sent by a client, and user information is queried according to a legal request and sent to the client. It should be noted that the present embodiment is only exemplary, and does not limit the protection scope of the embodiments of the present invention.
Fig. 2 schematically shows an environment application diagram of an information security management method according to a second embodiment of the present application.
In an exemplary embodiment, the server 2 in which the information security management method is located is connected to the user side 3 and the client side 4 through a network; the server 2 may provide services through one or more networks, which may include various network devices, such as routers, switches, multiplexers, hubs, modems, bridges, repeaters, firewalls, proxy devices, and/or the like. The network may include physical links, such as coaxial cable links, twisted pair cable links, fiber optic links, combinations thereof, and/or the like. The network may include wireless links, such as cellular links, satellite links, Wi-Fi links, and/or the like; the user end 3 may be a computer device such as a smart phone, a tablet computer, a notebook computer, a desktop computer, etc., and the client end 4 may be a computer server running a page for serving the user end.
Fig. 3 is a flowchart of a specific method of an information security management method according to an embodiment of the present invention, where the method specifically includes steps S200 to S210.
S200: receiving login information sent by a user side, carrying out identity verification on the login information and judging whether the login information is authorized to be logged in; if the user has the right to log in, the user sends login success information to the user side, and the user side generates access information and user information according to the login success information; if not, sending login failure information to the user side and ending.
In order to avoid the condition that the information of the client is risked due to the fact that an unauthorized user logs in a server which runs an information security management method to obtain the information of the client,
the identity of the login information sent by the user side is verified to judge whether the user side has the right to login the server, so that the situation that the unauthorized user side steals the client information by logging in the server is avoided.
In this embodiment, a login database is used to store login information pre-registered by a user, where the login information includes a unique user identifier (e.g., account information) and user encryption information (e.g., login password), and the unique user identifier and the user encryption information are stored in the login database in a key-value key value pair manner, where the unique user identifier is a primary key of the key value pair, and the user encryption information is a key value of the key value pair.
The step of performing identity verification on the login information and judging whether the login information passes or not comprises the following steps:
s01: identifying a primary key in the login database consistent with the user unique identification of the information to be tested,
s02: extracting a key value corresponding to the primary key and setting the key value as standard encryption information,
s03: judging whether the user encryption information in the login information is consistent with the standard encryption information;
s04: if yes, judging that the login information is authorized to be logged in;
s05: if not, the login information is judged to be unauthorized to login.
S201: receiving access information, user information and authorization information sent by a user side, recording the user information, generating a skip link according to the access information, and generating an authorization code according to the authorization information; sending the authorization code and the jump link to the user side; the authorization code and the jump link are used for enabling the user side to access the client side.
In order to avoid the situation that the security of the user information is greatly damaged as the user information is obtained by an illegal or untrustworthy client side because the client side directly obtains the user information from the user side; in the step, the jump link is made through the access information so that the user side can conveniently access the page in the client side, meanwhile, the authorization of the user is obtained through the authorization information and the authorization code is generated, so that the user information which needs to be loaded on the page can be obtained by the client side according to the authorization code, the page can be accessed without the user side performing complicated permission operation, the smoothness of the page in the client side accessed by the user side is ensured, the client side which has the right to obtain the user information can accurately and comprehensively obtain the corresponding user information and load the page through the authorization code, and the safety of the user information is ensured.
In this embodiment, the access information includes channel information and request information; the channel information reflects a channel where a client to be accessed by the access information is located, such as a client channel: channel 001; it expresses that the channel of the client A is 001; the page information reflects the page to be accessed by the access information, such as scene: 01, which represents a product purchase page.
Illustratively, the page information includes:
the product purchase information reflects a data request of a user side for accessing a product purchase page;
order detail information which reflects a data request of a user terminal for accessing an order detail page;
reservation information reflecting a data request for a user to access a reservation page;
and the appointment detail information reflects the data request of the user terminal for accessing the appointment detail page.
The page includes:
a product purchase page corresponding to the product purchase information and used for transmitting a unique user identifier (such as login account information), a supplier product code and a family purchase mark;
the order detail page corresponds to the order detail information and is used for transmitting information such as a unique user identifier, a supplier product code, a physical examination card number and the like;
the appointment page corresponds to the appointment detail information and is used for transmitting information such as a unique user identifier, physical examination card number information, a user name, a birth date, a certificate number, a certificate type, gender and the like;
and the reservation detail page corresponds to the reservation detail information and is used for transmitting information such as the unique user identifier, the supplier product code, the physical examination card number, the order number and the like.
In a preferred embodiment, the step of generating the jump link according to the access information includes:
s11: intercepting the access information and generating an access ID;
in this step, a filter or a profile is used to generate a requestId (i.e. the access ID) for uniquely identifying the request before each HTTP access message (i.e. the access message) enters the Controller, and the UUID can be used and placed in ThreadLocal to facilitate the context call.
S12: and splicing the access ID and the channel information to obtain a link character string.
In this step, the access ID and the channel information are linked after a preset initialization text (such as http//) according to a preset splicing rule to form a link character string. The splicing rule is preset by a developer and is used for generating a computer program of a link character string, wherein the link character string is a URL mark used for accessing a page in a client.
S13: and encrypting the link character string to obtain the jump link.
In this step, the 3DES encryption technology is used to encrypt the link string to ensure the security of the skip link sent to the user side in the transmission process.
It should be noted that 3DES (or called Triple DES) is a generic term for Triple Data Encryption Algorithm (TDEA) block cipher. It is equivalent to applying the DES encryption algorithm three times per block. The situation that the information is easily cracked violently is avoided through a three-time encryption mode, and the safety of the information is improved.
In this embodiment, the user information is personal information of the user, and the user information is stored and the client without access is denied to obtain the user information because the user information has privacy.
Illustratively, the user information includes a user unique identification, a physical examination card number, a user name, a birth date, a certificate number, a certificate type, a gender, an order number, and the like.
In this embodiment, the authorization information is calculated by an authorization code generator to obtain an authorization code, the authorization code is associated with the user information and the jump link, and the number of times of use of the authorization code is set, for example: once, wherein the code represents the authorization code in the code. Therefore, by adopting the authorization information and the authorization code thereof, the client side which can be trusted by the server running the information security management method can access the corresponding user information, and the security of the user information is ensured; meanwhile, the validity period of the authorization code is set, and optionally, the validity period is set within a shorter period, for example: set to 10 minutes.
Due to the arrangement of the expiration date, the client cannot obtain the corresponding user information by using the expired authorization code, and the safety of the user information is further ensured.
It should be noted that, in the present application, a Python authorization code generator is used to calculate the authorization information to obtain an authorization code.
Illustratively, the authorization information includes an authorization type, a user end ID and an authorization scope,
for example: response _ type: indicates the type of authorization, mandatory option, where the value is fixed to "code"
client _ id: an ID indicating the user side, which is set as a must option.
scope: indicating the scope of the claims.
Optionally, the method further includes the current state of the user side: which represents the current state of the client and may specify an arbitrary value that the authentication server would return intact.
Generating the authorization code, and calculating the authorization information to obtain the authorization code, for example: code SplxlOBeZQQYbYS6WxSbIA
In this embodiment, the user side may access the client side corresponding to the channel information in the access information through the jump link, and obtain a page corresponding to the page information in the access information in the client side. And the user side sends the authorization code to the client side, so that the client side can acquire the required user information from a server running an information security management method through the authorization code.
Optionally, after the jump link is obtained by encrypting the link string, the method further includes:
and uploading the jump link to a block chain.
It should be noted that: and obtaining corresponding summary information based on the jump link, specifically, obtaining the summary information by performing hash processing on the jump link, for example, by using the sha256s algorithm. Uploading summary information to the blockchain can ensure the safety and the fair transparency of the user. The user equipment can download the summary information from the blockchain so as to verify whether the jump link is tampered. The blockchain referred to in this example is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm, and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
S202: and receiving a token request sent by the client according to the authorization code and the jump link.
In this embodiment, the token request is an HTTP request, which includes the following parameters:
grant _ type: indicating the authorization mode used.
code: indicating the authorization code.
redirect _ uri: representing the jump link.
client _ id: indicating the client ID.
Exemplarily, the following steps are carried out: the code of the token request is as follows:
POST/token HTTP/1.1
Host:server.example.com
Authorization:Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type:application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
s203: and extracting the authorization code in the token request and verifying whether the authorization code is valid.
In order to prevent a client without permission from obtaining token information, the authorization code in the token request is verified and whether the authorization code is valid or not is judged to judge whether the client has the permission of obtaining the token information or not, and the safety of user information is guaranteed.
In a preferred embodiment, the step of verifying whether the authorization code is valid includes:
s31: and setting the authorization code generated according to the authorization information as a first authorization code, and setting the authorization code in the token request as a second authorization code.
S32: the first and second authorization codes are compared for agreement.
S33: if the first authorization code is consistent with the second authorization code, whether the first authorization code has a use tag is judged, and the use tag is an identifier used for reflecting that the first authorization code is used.
S34: if the first authorization code does not have the use tag, the second authorization code is determined to be valid, and the use tag is inserted into the first authorization code to identify that the first authorization code is used.
S35: and if the use label exists, determining that the second authorization code is invalid.
S36: and if the first authorization code is inconsistent with a second authorization code, determining that the second authorization code is invalid.
Since the illegal client terminal which is not authorized to acquire the user information may acquire the user information according to the token request by downloading the token request sent by the legal client terminal which is authorized to acquire the user information, the legal client terminal usually acquires the user information by legally using the second authorization code, and the illegal client terminal usually accesses the server to acquire the user information after the legal client terminal finishes using the first authorization code, the step effectively prevents the illegal client terminal from acquiring the user information after the legal client terminal, and greatly improves the security of the user information by comparing the first authorization code with the second authorization code and identifying whether the first authorization code is used.
S204: if the authorization code is valid, generating token information according to the token request, sending the token information to the client, and then executing step S206.
In this step, the token information includes the following parameters:
access _ token: representing an access token.
token _ type: represents a token type, which is a bearer type or a mac type.
expires _ in: represents the expiration time, which in this embodiment is in seconds.
scope: and representing an authority range, wherein the authority range is consistent with the authorization range in the authorization information so as to ensure that the user information obtained through the token information is consistent with the real intention range authorized by the user, thereby ensuring the safety of the user information.
Illustratively, the code of the token information is as follows:
Figure BDA0002854091890000131
in this embodiment, the nginx-token is adopted as the token module to generate token information according to the token request.
S205: and if the authorization code is invalid, sending access refusing information to the client and ending.
In order to ensure that a client which is not authorized to acquire token information cannot acquire the user information of the token information set, the client is refused to send the same token request again by sending access refusing information to the client and ending, so that the safety of the user information is ensured, and the operation burden of the server is reduced.
S206: receiving an information request sent by a client according to the token information, and judging whether the token information in the information request is consistent with the token information generated according to the token request;
if yes, judging that the information request is a legal request, destroying the token information, and executing step S207;
and if the information request is not consistent with the information request, judging that the information request is an illegal request and ending.
In order to further ensure that a client side for obtaining user information is an authorized client side and avoid the situation that the client side repeatedly sends an information request to cause that a server running the information security management method is overloaded in running, in the step, token information (namely, the value of access _ token) in the information request is compared with token information (namely, the value of access _ token) generated according to the token request, and if the token information is consistent with the token information, the information request is judged to be a legal request; if the request is inconsistent with the user information, the information request is judged to be an illegal request, the condition that an illegal client side forges the token information in a cross-site request forging (such as anti csrf attack) mode to obtain the user information is avoided, and the safety of the user information is further improved. The token information is destroyed to ensure that the client can only obtain the user information once, so that the situation that the server operating with the information safety management method is overloaded due to repeated information request sending by the client is avoided.
In this embodiment, the client acquires a page corresponding to the page information in the access information according to the jump link, and extracts information required in the page to make an information request. For example: if the page information is product purchase information, the corresponding page is a product purchase page, based on the above example, the user information required by the product purchase page is the user unique identifier, and an information request is formed by combining the token information and the user unique identifier.
In fig. 3, step S206 is shown with the following labels:
s61: receiving an information request sent by a client according to the token information, and judging whether the token information in the information request is consistent with the token information generated according to the token request;
s62: if yes, judging that the information request is a legal request, destroying the token information, and executing step S207;
s63: and if the information request is not consistent with the information request, judging that the information request is an illegal request and ending.
S207: and extracting the token information in the legal request and verifying whether the token information is valid.
In order to avoid the situation that the token information is intercepted by an illegal client and corresponding user information is obtained through the token information, the step ensures that the client sending the legal request is authorized to obtain the user information by verifying whether the token information in the legal request is valid or not, and ensures the safety of the user information.
In a preferred embodiment, the step of verifying whether the token information is valid includes:
s71: and calculating the time difference between the time of extracting the token information in the legal request and the generation time of the token information.
S72: and extracting the expiration time in the token information.
S73: and judging whether the time difference is larger than the expiration time.
S74: and if so, judging that the token information is invalid.
S75: if not, the token information is judged to be valid.
S208: if the token information is valid, inquiring user information according to the legal request, sending the user information to the client, and executing step S210.
Illustratively, based on the above example, since the user information to be queried by the legal request is the user unique identifier, the user unique identifier in the user information is sent to the client.
In this embodiment, the step of sending the user information to the client includes:
encrypting the user information to form encrypted user information,
and sending the encrypted user information to the client.
In the step, the user information is encrypted by adopting a 3DES encryption technology, so that the safety of the user information in the transmission process is ensured.
S209: if the token information is invalid, updating the token information to form reset token information, sending the reset token information to the client, enabling the client to generate an information request according to the reset token information, and executing the S207.
In order to avoid the situation that a client with user information acquisition permission is invalid in token information in an information request sent by the client due to network faults and the like, and further corresponding user information cannot be acquired, in the step, when the time difference between the time of the token information in the information request and the generation time of the token information exceeds the expiration time expires _ in, the token information is updated by calling a refresh _ token code to form reset token information, so that the client can normally acquire the user information, and the information acquisition stability is ensured.
In a preferred embodiment, the step of updating the token information to form reset token information includes:
s91: sending a reset request to a preset token module;
in this step, Nginx-token is adopted as the token module, which is an nmcached-based Nginx token module.
The reset request includes the following parameters:
granttype: indicating the authorization mode used, where the value is fixed to "refreshhooken", a mandatory option.
refresh _ token: indicating an update token received earlier, a mandatory option.
scope: the scope of the application is not limited to the scope of the last application, and if the parameter is omitted, the application is consistent with the last application.
Exemplarily, the following steps are carried out:
POST/token HTTP/1.1
Host:server.example.com
Authorization:Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type:application/x-www-form-urlencoded
s92: and controlling the token module to generate reset token information according to the reset request.
In this step, the token module is called to generate new token information according to the refresh _ token code and the scope code to serve as the reset token information.
S210: and controlling the client to call an access page according to the jump link, loading the user information into the access page to form a feedback page, and sending the feedback page to the client.
Illustratively, based on the above example, if the access information is product purchase information, the jump link is a URI identifier of a product purchase page, so that the control client invokes the product purchase page, loads the obtained user unique identifier into the product purchase page to obtain a feedback page, and sends the feedback page to the user terminal, so that the user terminal can operate on the feedback page conveniently.
Example three:
referring to fig. 4, an information security management apparatus 1 of the present embodiment includes:
the authorization link module 11 is configured to receive access information, user information, and authorization information sent by a user side, record the user information, generate a skip link according to the access information, and generate an authorization code according to the authorization information; sending the authorization code and the jump link to the user side; the authorization code and the jump link are used for enabling the user side to access the client side;
a request input module 12, configured to receive a token request sent by a client according to the authorization code and the skip link;
the token generation module 14 is configured to generate token information according to the token request, and send the token information to the client;
a request judging module 16, configured to receive an information request sent by a client according to the token information, and judge whether token information in the information request is consistent with the token information generated according to the token request; if the token information is consistent with the information request, judging that the information request is a legal request and destroying the token information;
and the information output module 18 is used for inquiring user information according to the legal request and sending the user information to the client.
Optionally, the information security management apparatus 1 further includes:
the login authorization module 10 is configured to receive login information sent by a user, perform identity verification on the login information, and determine whether the login information is authorized to be logged in; if the user has the right to log in, the user sends login success information to the user side, and the user side generates access information and user information according to the login success information; if not, sending login failure information to the user side and ending.
Optionally, the information security management apparatus 1 further includes:
and the authorization code verification module 13 is configured to extract the authorization code in the token request, and verify whether the authorization code is valid.
Optionally, the information security management apparatus 1 further includes:
and the authorization invalidation module 15 is configured to send the access denial information to the client and end when the authorization code is invalid.
Optionally, the information security management apparatus 1 further includes:
and the token verifying module 17 is configured to extract the token information in the legal request, and verify whether the token information is valid.
Optionally, the information security management apparatus 1 further includes:
and the token invalidation module 19 is configured to update the token information to form reset token information when the token information is invalid, send the reset token information to the client, enable the client to generate an information request according to the reset token information, and invoke the token verification module 17.
Optionally, the information security management apparatus 1 further includes:
and the page control module 20 is configured to control the client to call an access page according to the jump link, load the user information into the access page to form a feedback page, and send the feedback page to the client.
The technical scheme relates to the technical field of safety protection of information safety, and comprises the steps of formulating and recording user information, generating a skip link according to access information, and generating an authorization code according to authorization information; generating token information according to the token request; judging whether the token information in the information request is consistent with the token information generated according to the token request; if the token information is consistent with the information request, the information request is judged to be a legal request, the access rule of the token information is destroyed, and the technical effect of access control of the client is achieved.
Example four:
in order to achieve the above object, the present invention further provides a computer device 5, where components of the information security management apparatus 1 according to the third embodiment may be distributed in different computer devices, and the computer device 5 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server, or a rack server (including an independent server or a server cluster formed by multiple application servers) that executes a program. The computer device of the embodiment at least includes but is not limited to: a memory 51, a processor 52, which may be communicatively coupled to each other via a system bus, as shown in FIG. 5. It should be noted that fig. 5 only shows a computer device with components, but it should be understood that not all of the shown components are required to be implemented, and more or fewer components may be implemented instead.
In this embodiment, the memory 51 (i.e., a readable storage medium) includes a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the memory 51 may be an internal storage unit of the computer device, such as a hard disk or a memory of the computer device. In other embodiments, the memory 51 may be an external storage device of a computer device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like, provided on the computer device. Of course, the memory 51 may also include both internal and external storage devices of the computer device. In this embodiment, the memory 51 is generally used for storing an operating system and various application software installed in the computer device, for example, the program codes of the information security management apparatus in the third embodiment. Further, the memory 51 may also be used to temporarily store various types of data that have been output or are to be output.
Processor 52 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 52 is typically used to control the overall operation of the computer device. In this embodiment, the processor 52 is configured to run a program code stored in the memory 51 or process data, for example, run an information security management apparatus, so as to implement the information security management methods of the first and second embodiments.
Example five:
to achieve the above objects, the present invention also provides a computer readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application store, etc., on which a computer program is stored, which when executed by a processor 52, implements corresponding functions. The computer-readable storage medium of the present embodiment is used for storing an information security management apparatus, and when executed by the processor 52, implements the information security management method of the first embodiment and the second embodiment.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. An information security management method, comprising:
receiving access information, user information and authorization information sent by a user side, recording the user information, generating a skip link according to the access information, and generating an authorization code according to the authorization information; sending the authorization code and the jump link to the user side; the authorization code and the jump link are used for enabling the user side to access the client side;
receiving a token request sent by the client according to the authorization code and the skip link;
generating token information according to the token request, and sending the token information to the client;
receiving an information request sent by a client according to the token information, and judging whether the token information in the information request is consistent with the token information generated according to the token request; if the token information is consistent with the information request, judging that the information request is a legal request and destroying the token information;
and inquiring user information according to the legal request, and sending the user information to the client.
2. The information security management method according to claim 1, wherein before the receiving the access information, the user information and the authorization information sent by the user side, the method further comprises:
receiving login information sent by a user side, carrying out identity verification on the login information and judging whether the login information is authorized to be logged in; if the user has the right to log in, the user sends login success information to the user side, and the user side generates access information and user information according to the login success information; if not, sending login failure information to the user side and ending.
3. The information security management method according to claim 1, wherein the step of generating the jump link according to the access information includes:
intercepting the access information and generating an access ID;
splicing the access ID and the channel information to obtain a link character string;
encrypting the link character string to obtain a jump link;
after the jump link is obtained by encrypting the link string, the method further includes:
and uploading the jump link to a block chain.
4. The information security management method according to claim 1, wherein before generating the token information according to the token request, the method further comprises:
extracting an authorization code in the token request and verifying whether the authorization code is valid;
and if the authorization code is invalid, sending access refusing information to the client and ending.
5. The information security management method according to claim 4, wherein the step of verifying whether the authorization code is valid includes:
setting the authorization code generated according to the authorization information as a first authorization code, and setting the authorization code in the token request as a second authorization code;
comparing whether the first authorization code and the second authorization code are consistent;
if the first authorization code is consistent with a second authorization code, judging whether the first authorization code has a use tag, wherein the use tag is an identifier used for reflecting that the first authorization code is used;
if the first authorization code does not have the use tag, judging that the second authorization code is valid, and inserting the use tag into the first authorization code to identify that the first authorization code is used;
if the use label exists, the second authorization code is judged to be invalid;
and if the first authorization code is inconsistent with a second authorization code, determining that the second authorization code is invalid.
6. The information security management method according to claim 1, wherein before querying the user information according to the legal request, the method further comprises:
extracting token information in the legal request and verifying whether the token information is valid;
and if the token information is invalid, updating the token information to form reset token information, and sending the reset token information to the client so that the client generates an information request according to the reset token information.
7. The information security management method according to claim 6, wherein the step of verifying whether the token information is valid includes:
calculating the time difference between the time for extracting the token information in the legal request and the generation time of the token information;
extracting the expiration time in the token information;
judging whether the time difference is larger than the expiration time or not;
if yes, determining that the token information is invalid;
if not, the token information is judged to be valid.
8. An information security management apparatus, comprising:
the authorization link module is used for receiving access information, user information and authorization information sent by a user side, recording the user information, generating a skip link according to the access information, and generating an authorization code according to the authorization information; sending the authorization code and the jump link to the user side; the authorization code and the jump link are used for enabling the user side to access the client side;
the request input module is used for receiving a token request sent by the client according to the authorization code and the skip link;
the token generation module is used for generating token information according to the token request and sending the token information to the client;
the request judging module is used for receiving an information request sent by a client according to the token information, judging whether the token information in the information request is consistent with the token information generated according to the token request or not; if the token information is consistent with the information request, judging that the information request is a legal request and destroying the token information;
and the information output module is used for inquiring user information according to the legal request and sending the user information to the client.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the information security management method according to any one of claims 1 to 7 are implemented by the processor of the computer device when the computer program is executed.
10. A computer-readable storage medium, on which a computer program is stored, wherein the computer program stored in the computer-readable storage medium, when executed by a processor, implements the steps of the information security management method according to any one of claims 1 to 7.
CN202011537973.0A 2020-12-23 2020-12-23 Information security management method and device, computer equipment and readable storage medium Pending CN112565293A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011537973.0A CN112565293A (en) 2020-12-23 2020-12-23 Information security management method and device, computer equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011537973.0A CN112565293A (en) 2020-12-23 2020-12-23 Information security management method and device, computer equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN112565293A true CN112565293A (en) 2021-03-26

Family

ID=75030957

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011537973.0A Pending CN112565293A (en) 2020-12-23 2020-12-23 Information security management method and device, computer equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN112565293A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113890750A (en) * 2021-09-22 2022-01-04 珠海美佳音科技有限公司 Temporary authorization control method, device, equipment and storage medium for massage equipment
CN113971292A (en) * 2021-10-26 2022-01-25 科大讯飞股份有限公司 Authorization method and related device
CN115484027A (en) * 2021-06-15 2022-12-16 中移动信息技术有限公司 Token application linear consistency method and device based on bos chain

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102737051A (en) * 2011-04-12 2012-10-17 贾洪明 Method for acquiring merchandize cashback information
US20140075513A1 (en) * 2012-09-10 2014-03-13 Adobe Systems Incorporated Device token protocol for authorization and persistent authentication shared across applications
US20150150110A1 (en) * 2013-11-27 2015-05-28 International Business Machines Corporation Identifying and destroying potentially misappropriated access tokens
CN104966211A (en) * 2015-06-04 2015-10-07 广州优蜜移动科技股份有限公司 Method and system for automatically identifying channel relationship
CN106295394A (en) * 2016-07-22 2017-01-04 飞天诚信科技股份有限公司 Resource authorization method and system and authorization server and method of work
CN109309683A (en) * 2018-10-30 2019-02-05 泰华智慧产业集团股份有限公司 The method and system of client identity verifying based on token
CN111680232A (en) * 2020-06-03 2020-09-18 北京三快在线科技有限公司 Page display method, device, equipment and storage medium
CN111818088A (en) * 2020-07-28 2020-10-23 深圳壹账通智能科技有限公司 Authorization mode management method and device, computer equipment and readable storage medium
CN111931088A (en) * 2020-10-13 2020-11-13 北京拓课网络科技有限公司 Webpage link processing method and device and electronic equipment
CN112039889A (en) * 2020-08-31 2020-12-04 康键信息技术(深圳)有限公司 Password-free login method, device, equipment and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102737051A (en) * 2011-04-12 2012-10-17 贾洪明 Method for acquiring merchandize cashback information
US20140075513A1 (en) * 2012-09-10 2014-03-13 Adobe Systems Incorporated Device token protocol for authorization and persistent authentication shared across applications
US20150150110A1 (en) * 2013-11-27 2015-05-28 International Business Machines Corporation Identifying and destroying potentially misappropriated access tokens
CN104966211A (en) * 2015-06-04 2015-10-07 广州优蜜移动科技股份有限公司 Method and system for automatically identifying channel relationship
CN106295394A (en) * 2016-07-22 2017-01-04 飞天诚信科技股份有限公司 Resource authorization method and system and authorization server and method of work
CN109309683A (en) * 2018-10-30 2019-02-05 泰华智慧产业集团股份有限公司 The method and system of client identity verifying based on token
CN111680232A (en) * 2020-06-03 2020-09-18 北京三快在线科技有限公司 Page display method, device, equipment and storage medium
CN111818088A (en) * 2020-07-28 2020-10-23 深圳壹账通智能科技有限公司 Authorization mode management method and device, computer equipment and readable storage medium
CN112039889A (en) * 2020-08-31 2020-12-04 康键信息技术(深圳)有限公司 Password-free login method, device, equipment and storage medium
CN111931088A (en) * 2020-10-13 2020-11-13 北京拓课网络科技有限公司 Webpage link processing method and device and electronic equipment

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115484027A (en) * 2021-06-15 2022-12-16 中移动信息技术有限公司 Token application linear consistency method and device based on bos chain
CN115484027B (en) * 2021-06-15 2024-06-25 中移动信息技术有限公司 Token application linear consistency method and device based on BOS chain
CN113890750A (en) * 2021-09-22 2022-01-04 珠海美佳音科技有限公司 Temporary authorization control method, device, equipment and storage medium for massage equipment
CN113890750B (en) * 2021-09-22 2024-03-08 珠海美佳音科技有限公司 Temporary authorization control method, device and equipment for massage equipment and storage medium
CN113971292A (en) * 2021-10-26 2022-01-25 科大讯飞股份有限公司 Authorization method and related device

Similar Documents

Publication Publication Date Title
CN111756753B (en) Authority verification method and system
US20240080311A1 (en) Managing security credentials
CN111353903B (en) A network identity protection method, device, electronic device and storage medium
CN111800440B (en) Multi-policy access control login method and device, computer equipment and storage medium
CN108965222B (en) Identity authentication method, system and computer readable storage medium
CN104753674B (en) A kind of verification method and equipment of application identity
EP3453136A1 (en) Methods and apparatus for device authentication and secure data exchange between a server application and a device
CN112532599A (en) Dynamic authentication method, device, electronic equipment and storage medium
CN110995446B (en) Evidence verification method, device, server and storage medium
CN112565293A (en) Information security management method and device, computer equipment and readable storage medium
CN111818088A (en) Authorization mode management method and device, computer equipment and readable storage medium
CN111275419A (en) Block chain wallet signature right confirming method, device and system
CN110958239B (en) Method and device for verifying access request, storage medium and electronic device
CN118013499A (en) Single sign-on method, system, electronic equipment and storage medium
CN112699404A (en) Method, device and equipment for verifying authority and storage medium
CN116249113A (en) Verification authorization method and device for virtual image of meta-universe, electronic equipment and storage medium
KR20200018546A (en) Public key infrastructure based service authentication method and system
CN115695023A (en) A Remote Terminal Service Container Access System
CN116226879B (en) Service interface access control method, device, computer equipment and storage medium
CN113868628B (en) Signature verification method, signature verification device, computer equipment and storage medium
CN113098899B (en) Intangible asset protection method, device and computer readable medium
KR101975041B1 (en) Security broker system and method for securing file stored in external storage device
CN112134705A (en) Data authentication method and device, storage medium and electronic device
EP2479696A1 (en) Data security
CN118174874B (en) A unified authentication token generation method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210326