[go: up one dir, main page]

CN120337236A - A data resource access method, device, equipment and medium - Google Patents

A data resource access method, device, equipment and medium

Info

Publication number
CN120337236A
CN120337236A CN202410063871.1A CN202410063871A CN120337236A CN 120337236 A CN120337236 A CN 120337236A CN 202410063871 A CN202410063871 A CN 202410063871A CN 120337236 A CN120337236 A CN 120337236A
Authority
CN
China
Prior art keywords
access
ticket
information
client
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410063871.1A
Other languages
Chinese (zh)
Inventor
吴岳廷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202410063871.1A priority Critical patent/CN120337236A/en
Publication of CN120337236A publication Critical patent/CN120337236A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

本申请提供了一种数据资源访问方法、装置、设备以及介质,该方法包括:接收票据获取请求,在基于票据获取请求获取到终端设备的设备应用数据信息时,生成第一访问票据和第二访问票据,将第一访问票据和第二访问票据返回给安全应用客户端;接收票据校验请求,对票据校验请求中所携带的第一待校验票据和第二待校验票据分别进行票据校验,得到第一票据校验结果和第二票据校验结果;在第一票据校验结果指示第一待校验票据为第一访问票据,且第二票据校验结果指示第二待校验票据为第二访问票据时,通知智能网关将资源访问请求转发给业务服务器。采用本申请,可以提高在零信任网络访问系统中,对业务数据资源进行访问时的安全性和可靠性。

The present application provides a data resource access method, apparatus, device and medium, the method comprising: receiving a ticket acquisition request, generating a first access ticket and a second access ticket when obtaining device application data information of a terminal device based on the ticket acquisition request, and returning the first access ticket and the second access ticket to a secure application client; receiving a ticket verification request, performing ticket verification on the first ticket to be verified and the second ticket to be verified carried in the ticket verification request, respectively, to obtain a first ticket verification result and a second ticket verification result; when the first ticket verification result indicates that the first ticket to be verified is a first access ticket, and the second ticket verification result indicates that the second ticket to be verified is a second access ticket, notifying the intelligent gateway to forward the resource access request to the business server. The present application can improve the security and reliability of accessing business data resources in a zero-trust network access system.

Description

Data resource access method, device, equipment and medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a medium for accessing data resources.
Background
In the zero-trust network access system, when a certain user requests access to a service resource in a certain site (for example, site a) through a terminal device, the server is required to generate an access ticket uniquely used for accessing the service resource according to a single access ticket generation mode, the access ticket is returned to the terminal device, and after receiving the access ticket issued by the server, the terminal device can access the service resource in the site a through the access ticket.
However, the inventors have found in practice that zero trust network access systems are often subject to a wide variety of malicious attacks by attackers. For example, in the case that the terminal device stores an access ticket that is only used for accessing a service resource, once an illegal object (i.e., an attacker) illegally obtains the single access ticket, and then in combination with the reverse analysis of a component in the terminal device, the access security weakness in the zero-trust network access system may be directly analyzed, so that the phenomenon that the service resource is illegally accessed by directly using the single access ticket occurs, thereby reducing the security and reliability of accessing the service resource.
Disclosure of Invention
The embodiment of the application provides a data resource access method, a device, equipment and a medium, which can improve the safety and reliability of accessing service data resources in a zero-trust network access system.
In one aspect, an embodiment of the present application provides a method for accessing a data resource, where the method is executed by a secure application server, and includes:
Receiving a ticket acquisition request for service data resources sent by a security application client, generating a first access ticket and a second access ticket associated with the service data resources based on equipment application data information when equipment application data information of terminal equipment where the security application client is located is acquired based on the ticket acquisition request, and returning the first access ticket and the second access ticket as resource access tickets to the security application client so that the security application client sends the first access ticket to an access agent in the security application client through a first data transmission channel when the security application client recognizes that the resource access ticket contains the first access ticket and the second access ticket, and sends equipment auxiliary information and the second access ticket associated with the terminal equipment to the access agent through a second data transmission channel, wherein the security transmission grade of the first data transmission channel is higher than that of the second data transmission channel;
Receiving a bill verification request sent by an access agent through an intelligent gateway, and respectively carrying out bill verification on a first bill to be verified and a second bill to be verified carried in the bill verification request to obtain a first bill verification result associated with the first bill to be verified and a second bill verification result associated with the second bill to be verified;
When the first bill checking result indicates that the first bill to be checked is a first access bill and the second bill checking result indicates that the second bill to be checked is a second access bill, the intelligent gateway is informed to forward the resource access request to the service server when the resource access request sent by the service client intercepted by the access agent is acquired, and the resource access request is used for indicating the service server to authorize the service client to access the service data resource.
In one aspect, an embodiment of the present application provides a method for accessing a data resource, where the method is performed by a terminal device running a secure application client, and includes:
sending a bill acquisition request for service data resources to a security application server;
Receiving a resource access ticket returned by the security application server, and carrying out ticket identification on a first access ticket and a second access ticket carried in the resource access ticket to obtain a ticket identification result;
When the bill identification result indicates that the first access bill is a first type access bill, the first type access bill is sent to an access agent in the security application client through a first data transmission channel;
When the bill identification result indicates that the second access bill is the second type access bill, acquiring equipment auxiliary information associated with the terminal equipment, transmitting the second type access bill and the equipment auxiliary information to an access proxy through a second data transmission channel, so that the access proxy takes the first type access bill as a first bill to be identified and takes the second type access bill as a second bill to be identified when acquiring the first type access bill and the second type access bill, generating a bill verification request based on the first bill to be identified, the second bill to be identified and the equipment auxiliary information, and transmitting the bill verification request to a security application server through an intelligent gateway, wherein the intelligent gateway is deployed between a service client in the terminal equipment and a service server storing service data resources.
In one aspect, an embodiment of the present application provides a data resource access device, where the device operates on a secure application server, and includes:
The system comprises a ticket generation module, a security application client and a security transmission channel, wherein the ticket generation module is used for receiving a ticket acquisition request for a business data resource sent by the security application client, generating a first access ticket and a second access ticket which are associated with the business data resource based on equipment application data information when equipment application data information of terminal equipment where the security application client is located is acquired based on the ticket acquisition request, and returning the first access ticket and the second access ticket as resource access tickets to the security application client, so that the security application client sends the first access ticket to an access agent in the security application client through a first data transmission channel when the resource access ticket is identified to contain the first access ticket and the second access ticket, and sends equipment auxiliary information and the second access ticket which are associated with the terminal equipment to the access agent through a second data transmission channel;
The system comprises a bill verification module, an intelligent gateway, a service client, a service server, a service data resource, a service server and a service server, wherein the bill verification module is used for receiving a bill verification request sent by an access agent through the intelligent gateway, and respectively carrying out bill verification on a first bill to be verified and a second bill to be verified carried in the bill verification request to obtain a first bill verification result associated with the first bill to be verified and a second bill verification result associated with the second bill to be verified;
The system comprises a result notification module, a service server and an intelligent gateway, wherein the result notification module is used for notifying the intelligent gateway to forward a resource access request to the service server when acquiring the resource access request sent by a service client intercepted by an access agent when a first bill verification result indicates that a first bill to be verified is a first access bill and a second bill verification result indicates that a second bill to be verified is a second access bill, and the resource access request is used for indicating the service server to authorize the service client to access service data resources.
In one aspect, an embodiment of the present application provides a data resource access device, where the device is executed by a terminal device running a secure application client, and includes:
the first sending module is used for sending a bill acquisition request aiming at the business data resource to the security application server;
the system comprises a security application server, a bill identification module, a first access bill and a second access bill, wherein the security application server is used for acquiring a request of a security application client, and receiving a resource access bill returned by the security application server;
The first transmission module is used for transmitting the first type of access ticket to an access agent in the security application client through a first data transmission channel when the ticket identification result indicates that the first access ticket is the first type of access ticket;
The system comprises a first transmission module, a second transmission module, an intelligent gateway, a security application server, a service client and a service server, wherein the first transmission module is used for acquiring equipment auxiliary information associated with terminal equipment when a bill identification result indicates that a first access bill is a first type access bill, transmitting the equipment auxiliary information to the terminal equipment through a first data transmission channel, enabling the access proxy to use the first type access bill as a first to-be-identified bill and the first type access bill as a second to-be-identified bill when the access proxy acquires the first type access bill and the second type access bill, generating a bill verification request based on the first to-be-identified bill, the second to-be-identified bill and the equipment auxiliary information, and transmitting the bill verification request to the security application server through the intelligent gateway, the security transmission grade of the first data transmission channel is higher than that of the second data transmission channel, and the intelligent gateway is deployed between the service client and the service server storing service data resources in the terminal equipment.
An aspect of an embodiment of the present application provides a computer device, including a memory and a processor, where the memory is connected to the processor, and the memory is used to store a computer program, and the processor is used to call the computer program, so that the computer device performs the method provided in the foregoing aspect of the embodiment of the present application.
An aspect of an embodiment of the present application provides a computer readable storage medium, in which a computer program is stored, the computer program being adapted to be loaded and executed by a processor, to cause a computer device having a processor to perform the method provided in the above aspect of an embodiment of the present application.
According to one aspect of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the method provided in the above aspect.
In the embodiment of the application, the security application server can receive a ticket acquisition request for service data resources sent by a security application client, generate a first access ticket and a second access ticket associated with the service data resources based on equipment application data information when equipment application data information of terminal equipment where the security application client is located is acquired based on the ticket acquisition request, and return the first access ticket and the second access ticket as resource access tickets to the security application client, so that the security application client can send the first access ticket to an access agent in the security application client through a first data transmission channel when the resource access ticket is identified to contain the first access ticket and the second access ticket, and send equipment auxiliary information associated with terminal equipment and the second access ticket to the access agent through a second data transmission channel, wherein the security transmission grade of the first data transmission channel is higher than that of the second data transmission channel, and the security application server transmits the second access ticket through a second data transmission channel with a lower security transmission grade by sending the first access ticket and the second access ticket simultaneously. This means that no encryption processing will be performed on the second type of access ticket or a low level encryption processing will be performed on the second type of access ticket. Therefore, when an attacker intends to tamper the access ticket, the attacker can misuse the second access ticket as the first access ticket issued by the server to induce the attacker to tamper the second access ticket, so that the tamper behavior of the attacker is judged when the second access ticket is checked later. further, the security application server can receive a bill verification request sent by the access agent through the intelligent gateway, respectively perform bill verification on a first bill to be verified and a second bill to be verified carried in the bill verification request, obtain a first bill verification result associated with the first bill to be verified and a second bill verification result associated with the second bill to be verified, and further, when the first bill verification result indicates that the first bill to be verified is the first access bill and the second bill verification result indicates that the second bill to be verified is the second access bill, notify the intelligent gateway to forward the resource access request to the service server when the resource access request sent by the service client intercepted by the access agent is acquired. Specifically, when the second type access ticket is checked, the related information of the second type access ticket generated through checking can be compared with the auxiliary information of the equipment, and when the comparison result indicates inconsistent, the security application server can effectively discover the falsification behavior of an attacker aiming at the second type access ticket, so that the access authority of an access object is disabled, the connection between the access agent and the intelligent gateway is interrupted, and the access is interrupted. Therefore, the security application server can effectively find the tamper behavior of the attack on the ticket and the illegal access behavior of the service data resource by issuing the first access ticket and the second access ticket, and can timely take security defense measures to interrupt the access session when finding the tamper behavior, thereby ensuring the security and reliability of the access object when accessing the service data resource.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a network architecture according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a data processing flow for network access based on a zero-trust network access system according to an embodiment of the present application;
FIG. 3 is a schematic view of a scenario for data interaction according to an embodiment of the present application;
FIG. 4 is a schematic flow chart of a method for accessing data resources according to an embodiment of the present application;
FIG. 5 is a schematic diagram of generating a resource access ticket provided by an embodiment of the present application;
FIG. 6 is a schematic diagram of a method for verifying a ticket and obtaining a ticket verification result according to an embodiment of the present application;
FIG. 7 is a flowchart illustrating another method for accessing data resources according to an embodiment of the present application;
FIG. 8 is a schematic diagram of a security application client processing a resource access ticket according to an embodiment of the present application;
FIG. 9 is a schematic diagram of an access agent processing a resource access ticket according to an embodiment of the present application;
FIG. 10 is a timing diagram of a method for accessing data resources according to an embodiment of the present application;
FIG. 11 is a schematic diagram of a data resource access device according to an embodiment of the present application;
FIG. 12 is a schematic diagram of a structure of a data resource access device according to an embodiment of the present application;
FIG. 13 is a schematic diagram of a computer device according to an embodiment of the present application;
FIG. 14 is a schematic diagram of a data processing system according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Before explaining the data resource access method in the embodiment of the application in detail, technical terms related to the application are explained.
Trusted application: the application carrier of the internal service system can be accessed by the user terminal trusted by the secure application client, and can comprise any application which can be installed on the user terminal, including an application of an operating system and an application which can be installed by a user, such as Outlook, weChat or office, and the like, and the application characteristic information of the trusted application comprises information such as an application name, an information Digest Algorithm (MD 5) value of the application, signature information and the like. For example, the trusted application may be an application client such as a social client, an office client, a search client (e.g., a browser client), a multimedia client (e.g., a video client), an entertainment client (e.g., a game client), an educational client, a live client, a news client, or a shopping client (e.g., an e-commerce client).
And (3) accessing the internal site list set by the enterprise by the terminal user through the zero-trust network, wherein the internal site in the internal site list which can be accessed by the user is the user's reachable area according to the zero-trust network access strategy configured for the user. In the embodiment of the application, the access object (i.e. the end user) can initiate the access request for the service data resource in the target service site (i.e. the reachable area) through the client (i.e. the service client) corresponding to the service application (i.e. the trusted application).
And the login credentials comprise an encryption string appointed by the security application server for the user after the terminal user successfully logs in the security application client, and the login authorization information of the user comprises user information and authorization validity period. The login credentials are stored encrypted at the secure application client.
The network request certificate, or verification certificate or ticket, the security application server is used for identifying the authorization state of the network request for the single service access request, the security application client or the security application server is used for issuing the verification certificate for the network request certificate after intercepting the service access request, the access agent carries the verification certificate to initiate access to the intelligent gateway, and the intelligent gateway forwards the service access request to the corresponding service server after the verification certificate corresponding to the service access request passes through the verification of the security application server. In an embodiment of the present application, the login credentials may be a first access ticket and a second access ticket generated by the secure application server.
The zero trust access control strategy, or zero trust network access strategy, consists of a trusted application usable by the terminal user and an accessible reachable area, wherein the trusted application and the reachable area are within the scope of the zero trust network access strategy of the user, and the user can access any accessible area through any one trusted application. The granularity of the zero-trust network access policy is for the login user, allowing different zero-trust policies to be formulated for different login users. In the embodiment of the application, after a user logs in a security application client through a terminal, the security application client, a security application server and an intelligent gateway can be assembled to form a zero-trust network access system, and a zero-trust access control strategy (namely the zero-trust strategy) is configured in the zero-trust network access system.
The access agent is a terminal agent which is deployed at the controlled terminal equipment and initiates secure access, is responsible for initiating the request of the trusted identity authentication of the access main body, verifies the trusted identity, can establish encrypted access connection with the access gateway (or called intelligent gateway/zero trust gateway), and is also a policy execution point of access control. Wherein, in an embodiment of the present application, the access agent may be a component in the secure application client.
The zero trust gateway, or intelligent gateway, is deployed at the entrance of enterprise application program and data resource and is responsible for verifying and forwarding each session request accessing enterprise resource. In the embodiment of the application, the intelligent gateway deployed between the access agent and the security application server can be used for forwarding the bill verification request to the security application server.
And the access subject is a person/equipment/application for accessing the intranet business resources in the network by the party initiating the access, and is a digital entity formed by single or combination of factors such as person, equipment, application and the like. In the embodiment of the application, the access subject can be the following access object/terminal equipment/service application or a digital entity formed by combination.
And accessing objects, namely accessing one party, namely business resources of an enterprise intranet in a network, wherein the business resources comprise applications, systems (development test environments, operation and maintenance environments, production environments and the like), data, interfaces, functions and the like. In the embodiment of the application, the business data resource accessed by the access main body can be accessed.
In the zero-trust network access architecture, a certain application initiates a network access request to a station, after the full-flow agent hives the flow, the full-flow agent initiates the network access to the target station, namely initiates the access of direct connection, and the full-flow agent sends the network response of the target station to the application, and the access mode is called direct access. In the embodiment of the present application, when the access agent obtains the resource access request, the access agent directly sends the resource access request to the service server to obtain the service data resource, which may be referred to as direct access.
Proxy access, in the zero trust network access architecture, a certain application initiates a network access request to a station, after hijacking flow by a full flow proxy, the full flow proxy initiates flow forwarding to an intelligent gateway, the intelligent gateway proxy accesses a target service station, after accessing, the intelligent gateway sends the network response of the target station to the full flow proxy, and the full flow proxy forwards the network response of the target station to the application, and the access mode is called proxy access. In the embodiment of the present application, when the access proxy obtains the resource access request, the access proxy forwards the resource access request to the intelligent gateway, and the intelligent gateway sends the resource access request to the service server to obtain the service data resource, which may be referred to as proxy access.
Service addressing, namely, in a distributed cascade deployment mode, different services are deployed in different servers, and the process of searching the server connection address where the background service is deployed is the service addressing, wherein the background service is concerned by different service modules of a client.
White-box cryptography, which is a cryptographic technology capable of resisting white-box attacks, can be divided into two types, namely static white-box and dynamic white-box in terms of implementation. In the embodiment of the application, the white-box cryptographic technology is used for encrypting the resource access ticket.
Sensitive information, login information of the user including user id, password, etc., and login credentials (big ticket) and network access credentials (small ticket). In an embodiment of the present application, a first access ticket and a second access ticket may be included.
Business module, which is a collection of files to complete some specific functions. The concept of modules can more clearly describe products and can more conveniently specify the content to be installed and uninstalled. For example, we can specify that only one "threat response" module, or "application management" module, is installed. In the embodiment of the application, the module for acquiring the device auxiliary information of the terminal device in the secure application client can be provided. The device auxiliary information here may include, but is not limited to, machine information, software and hardware information, login user information, and the like of the terminal device.
The data persistence is that the data structure or object model in the memory is converted into a relational model, XML, JSON, binary stream and the like, and the storage model is converted into the generic term of the data model in the memory, and the persistence library is that the storage medium of the content of the relational model, XML, JSON, binary stream and the like which is stored in a local disk file or a data file of the device and is converted from the data structure or object model in the memory can be realized by using an encryption file, an embedded database and the like.
Policy-a series of rule sets issued by an administrator at the management end for enterprise terminal management. Including patch repair, zero trust network management and control, security reinforcement policies, etc. Policies may contain sensitive information such as notes, timeliness, number of validity, etc. In the embodiment of the application, the zero trust network access policy may be referred to.
Network session, which is a process that a user performs one time of information interaction with a service system, such as a process that data is transmitted or received after a client establishes a network link with a server. Including connection establishment and termination, or transmission and reception of data. In the embodiment of the present application, the process of establishing a network connection between a service client in a terminal device and a service server and acquiring a service data resource from the service server may be referred to as a network session.
Access session-based on web session and contains a set of related features. An access session is an abstract concept that is bound to a device, a person, a network attribute, a process attribute, and an endpoint attribute combination for each network session that accesses business resources (including business applications, core systems, asset data, function interfaces, etc.) of an enterprise intranet. In the embodiment of the application, the process that the access object initiates the resource access request to the service data resource can be called as an access session.
Dynamic and static characteristics of the application process, namely the application process has static and dynamic characteristics. Wherein, the static characteristic refers to an absolute path of an application process executable file, a process executable file hash, an application signature, application copyright information and the like. The dynamic characteristic information comprises information such as which account of the system the process is started, a command line for starting the process, and the like. In the application embodiment, the request parameters in the ticket acquisition request sent by the secure application client to the secure application server may include dynamic and static characteristics of the application process.
Certificate fixing, a security measure mainly used for preventing man-in-the-middle attacks, is commonly used for mobile terminals, PC terminals and other types of clients. The fixed requirements require that the client only accept a specific server certificate or certificate chain, ensuring that the client communicates with the intended server, avoiding communication with potential attackers. In this embodiment of the present application, when there is a data interaction between the secure application client and the secure application server (for example, the secure application server sends a first access ticket to the secure application client), the secure application server and the secure application client mutually verify the credentials, that is, the secure application client verifies the credentials of the secure application server, and the secure application server verifies the credentials of the secure application client. Only when the simultaneous authentication is successful, the secure application server and the secure application client establish a connection. Thus, the communication channel between the secure application server and the secure application client is highly secure, thereby avoiding an attacker's attack operation on the first access ticket (e.g., tampering with the first access ticket).
Referring to fig. 1, fig. 1 is a schematic structural diagram of a network architecture according to an embodiment of the present application. As shown in fig. 1, the network architecture may include a user terminal cluster 100, a server 101, an intelligent gateway 102, and a service server cluster 103, where the user terminal cluster may include one or more user terminals, and the number of user terminals is not limited herein. As shown in fig. 1, the user terminal cluster may specifically include a user terminal 100a, a user terminal 100b, a user terminal 100n. The user terminals in the user terminal cluster 100 may be various intelligent terminals with service data access functions, such as smart phones, tablet computers, notebook computers, desktop computers, palm computers, mobile internet devices (mobile INTERNET DEVICE, MID), wearable devices (e.g., smart watches, smart bracelets, etc.), intelligent computers, intelligent vehicles, etc. As shown in fig. 1, user terminals 100a, 100b, 100n may each be in network connection with the above-described server 101, so that each user terminal may interact with the server 101 through the network connection.
It should be appreciated that the user terminals in the user terminal cluster shown in fig. 1 may each be provided with a service application and a target application (i.e. a secure application client, e.g. iOA client), which may interact with the server 101 shown in fig. 1, respectively, when the secure application client is running in each user terminal.
The business applications (i.e., business application clients) herein may be social clients, office clients, search clients (e.g., browser clients), multimedia clients (e.g., video clients), entertainment clients (e.g., game clients), educational clients, live broadcast clients, news clients, shopping clients (e.g., e-commerce clients), and the like. Here, the service application (i.e., trusted application) refers to an application carrier that an access user corresponding to the secure application client can access the target service resource through the user terminal (for example, the user terminal 100 a) shown in fig. 1, and includes an application name, an application MD5 (an information summary policy), signature information, and the like.
As shown in fig. 1, the server 101 in the embodiment of the present application may be a server corresponding to the secure application client, that is, a secure application server (for example, iOA servers). The server 101 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms.
In this embodiment of the present application, after a user logs in a secure application client through a user terminal (for example, user terminal 100 a), the secure application client, the secure application server 101 and the intelligent gateway 102 may be configured to form a zero-trust secure application system (or referred to as a zero-trust network access system) for providing security for enterprise resource access services. The server 101 (i.e., the security application server) is configured to provide services such as policy issuing, resource access ticket issuing and verification, security detection, and sending out unknown processes for the zero trust security application system. Intelligent gateway 102 is deployed at the entrance of enterprise applications and data resources and is responsible for the authentication, authorization, and forwarding of each session request to access the enterprise resources. In one possible implementation, the security application server 101 and the intelligent gateway 102 may be implemented by the same device, for example, may be disposed on the same server, or may be disposed on different devices, which is not limited in this embodiment of the present application.
Where it should be appreciated that the service server cluster 103 is for providing enterprise resources to users accessing an enterprise service system, the service server cluster 103 may include one or more service servers, and the number of service servers is not limited herein. The service server cluster 103 may specifically include a service server 103a, a service server 103b, a service server 103n, etc. The service server in the service server cluster 103 may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms.
In the embodiment of the application, after a user (for example, a user a) logs in a secure application client through a user terminal, when the user initiates a resource access request for a service data resource (for example, a document a) in a certain service server (for example, a browser B), an access agent in the secure application client initiates an authentication request (i.e., a request for acquiring network access credentials/access tickets) to the secure application client when intercepting the resource access request. Further, the security application client authenticates the access right of the user a based on the related parameters (for example, user identity information, terminal equipment information, etc.) in the authentication request, and when determining that the user a has the access right, sends a ticket acquisition request to the security application server. Further, the security application server acquires the relevant parameters in the ticket acquisition request, and further configures a resource access ticket for the user A based on the configured zero-trust network access policy, and then returns the resource access ticket to the security application client. It should be appreciated that the secure application client forwards the resource access ticket to the access agent, such that the access agent generates a ticket check request based on the resource access ticket and forwards the ticket check request to the intelligent gateway. Further, the intelligent gateway sends the bill verification request to the security application server, and the security application server verifies the bill in the bill verification request. It should be appreciated that upon successful ticket verification, the access agent will forward the resource access request to the intelligent gateway, so that the intelligent gateway forwards the resource access request to the service server B, and thus obtains the service data resource (e.g., document a).
It should be understood that fig. 1 is merely an exemplary representation of a possible network architecture according to the present application, and is not limited to a specific architecture according to the present application, i.e. the present application may also provide other network architectures.
Further, referring to fig. 2, fig. 2 is a schematic diagram of a data processing flow for performing network access based on a zero-trust network access system according to an embodiment of the present application. As shown in FIG. 2, (1) an access subject initiates a resource access request for an access object through an application installed in a terminal device, (2) a security application client installed in the terminal device can hijack the resource access request through an access proxy and initiate an authentication request to the security application client, namely apply a network access credential (i.e. a resource access ticket) of the current resource access request to the security application client, wherein request parameters in the authentication request comprise a source IP or domain name, a source port, a destination IP or domain name, a destination port, a process identification number PID (Process ID) corresponding to the application, and the like, (3) the security application client acquires MD5 of a process PID (process path), latest process modification time, copyright information, signature information, and the like of the process transmitted by the security application client through the access proxy, (4) the security application client applies for the security application server according to the source IP or domain name, the source port, the destination IP or the domain name, the destination port, the like of the network request transmitted by the access proxy, and the security application server, audits parameters in the application request, if the security application server passes, and transmits the security application ticket access ticket to the security application server by the security application client, generates a security application ticket and transmits the security ticket to the security application client by using the security application ticket and the security application server, the method comprises the steps of (1) detecting viruses by sending an application process to a virus checking and killing service of a cloud through a sending and checking service in a security application server, (6) sending received resource access notes, the maximum use times of the notes and the effective time of the notes to an access proxy by a security application client as a response, (7) firstly initiating Https requests to a zero-trust gateway by the access proxy, wherein the resource access notes transmitted by the security application client are carried in an Authorization header field, (8) sending a note checking request to the security application server by the zero-trust gateway, (9) sending a checking result to the zero-trust gateway by the security application server, if the checking is successful, successfully establishing connection between the zero-trust gateway and a service server by the zero-trust gateway, (10) sending the original resource access request to the zero-trust gateway by the zero-trust gateway, forwarding the corresponding service data resources to the zero-trust gateway, (12) forwarding the service data resources to the access proxy, and (13) returning the service data resources to terminal equipment by the access proxy. Furthermore, if the verification of the resource access ticket in (8) fails, the connection of the access agent to the zero trust gateway is broken.
As shown in fig. 2, a plurality of service modules, such as a policy center, a ticket center, a shipment service, a security detection service, and the like, are provided in the security application server.
The policy center is used for configuring and issuing a zero-trust network access policy, when the zero-trust network access policy is configured, the security application server can be communicated with the security application management end (i.e. the interrupt corresponding to the enterprise administrator), a corresponding page is displayed in a display interface of the security application management end, so that the enterprise administrator can conveniently configure the policy in the page, and after the configuration is completed, the zero-trust network access policy is issued to the security application client, so that the security application client manages network resource access of a user according to the zero-trust network access policy. The enterprise administrator can perform policy configuration on a policy management page, for example, the trusted application configuration, the service system configuration, and the like, can set different accessible service systems for different users or user groups, and can configure sites accessible to users on an add resource page.
The ticket center returns a resource access ticket in response to a ticket application request of the security application client, and verifies the resource access ticket after receiving a ticket verification request sent by the zero-trust gateway, as shown in fig. 2.
The sending service sends the process of the application uploaded by the security application client to the virus checking and killing service of the cloud for virus detection. The security detection service specifically comprises an identity verification module, a device trusted module and an application detection module, wherein the identity verification module is used for verifying the identity of a user, the device trusted module is used for verifying the hardware information of terminal equipment and the security state of the device, and the application detection module is used for detecting whether an application process is secure, such as whether a vulnerability exists, whether a virus Trojan exists or not and the like. When the detection of each dimension by the security detection center is passed, a resource access bill is sent to the security application client, meanwhile, the service for inspection continuously performs virus inspection and killing on the process, and when the existence of the virus in the process is detected, the security application client is informed to execute asynchronous blocking operation, and the use of the resource access bill is interrupted.
For easy understanding, please further refer to fig. 3, fig. 3 is a schematic diagram of a scenario for data interaction according to an embodiment of the present application. As shown in fig. 3, the user terminal 30A in the embodiment of the present application may be a user terminal corresponding to an accessing user (e.g., the user a), and the user terminal 30A may be any one of the user terminals in the embodiment corresponding to fig. 1, for example, the user terminal 100A. Wherein the user terminal has a secure application client (such as the secure application client 301a shown in fig. 3) running thereon, and an access agent component (such as the access agent 301b shown in fig. 3) is configured in the secure application client 301 a. Wherein it should be appreciated that the security application client 301a and the access agent 301b are shown separately herein for the purpose of logical flow differentiation. The secure application server 30B shown in fig. 3 may be a server corresponding to the secure application client, and the secure application server 30B may be the server 101 in fig. 1. The intelligent gateway 30C shown in fig. 3 may be an internetworking device associated with a secure application client and may correspond to the intelligent gateway 102 shown in fig. 1. The service server 30D shown in fig. 3 may be a service server corresponding to a service application accessed by the accessing user (i.e., user a).
It should be appreciated that in the embodiment of the present application, the user a may access the secure application client 301a operated by the user terminal 30A through a user account (e.g., user account 1) created by a managing user (e.g., user B) of the secure application client 301a. When a user a initiates a resource access request to a client a in a browser B through a service application (or service client, for example, browser B) in the user terminal 30A, the access agent 301B running on the secure application client 301a executes step S31 when intercepting the resource access request, and sends an authentication request for the resource access request to the secure application client 301a. In other words, the access proxy applies the security application client 301a for the access credential requested by the current network. At this time, when the secure application client 301a obtains the relevant parameters in the authentication request based on the authentication request, the terminal device information of the user terminal 30A is obtained at the same time, where in the embodiment of the present application, the terminal device information may be referred to as device application data information. In addition, the secure application client 301a verifies the access right of the user a, and generates a ticket acquisition request. Further, step S32 is performed, and the secure application client 301a transmits a ticket acquisition request to the secure application server 30B. The security application server 30B authenticates the access right of the user a, and when determining that the user a has the access right, can acquire a zero-trust network access policy, further determine a ticket generation influencing factor based on the zero-trust network access policy and the device application data information, and further access the ticket for the resource configured by the user a. The resource access ticket may include a first access ticket and a second access ticket, where the zero trust network access policy may be configured for user a by a management user of the security management client. Further, step S33 is executed, and the secure application server 30B returns a resource access request to the secure application client 301 a. It should be appreciated that the secure application client 301a may identify the first access ticket and the second access ticket in the resource access request to determine ticket types for the first access ticket and the second access ticket. Further, when the secure application client 301a recognizes that the first access ticket is a first type access ticket and the second access ticket is a second type access ticket, step S34 is executed, and the secure application client 301a sends the resource access ticket to the access agent 301b. Specifically, the secure application client 301a encrypts the first type of access ticket and transmits it to the access agent 301b through a highly secure transmission channel, and does not encrypt or lower encrypt the second type of access ticket and transmits it to the access agent 301b through a low secure channel. Among other things, it should be appreciated that the highly secure transmission channel may be referred to herein as a first data transmission channel and the low secure transmission channel may be referred to herein as a second data transmission channel in embodiments of the present application. Further, the access agent 301b generates a ticket checking request after receiving the resource access ticket, and performs step S35 to send the ticket checking request to the intelligent gateway 30C. Further, the intelligent gateway 30C performs step S36 to send a ticket checking request to the secure application server 30B. The security application server 30B receives the ticket checking request, performs step S37, checks the tickets in the ticket checking request respectively to obtain a ticket checking result, performs step S38 after the ticket checking result indicates that the ticket checking is passed, and further performs step S39 when the intelligent gateway 30C obtains the resource access request forwarded by the access agent, and transmits the resource access request to the service server 30D. Further, the service server 30D performs step S40 to return the service data resource (the above-mentioned document a) to the intelligent gateway 30C, so that the intelligent gateway 30C performs step S41 to send the service data resource (the above-mentioned document a) to the access agent 301b, so that the user a can acquire the service data resource (the above-mentioned document a) through the terminal 30A.
It should be noted that, in the embodiment of the present application, when the user terminal (for example, the user terminal 30A shown in fig. 3) obtains relevant user information (for example, the information of the user a) may display a prompt interface, a popup window, or output voice prompt information, where the prompt interface, the popup window, or the voice prompt information is used to prompt the user terminal to collect relevant data currently, so that the present application only starts to execute the relevant step of obtaining the information of the user a after obtaining the confirmation operation of the user on the prompt interface or the popup window, or otherwise (that is, when the confirmation operation of the user on the prompt interface or the popup window is not obtained), ends the relevant step of obtaining the information of the user a. In other words, the user information collected by the application is collected under the condition that the user agrees and authorizes, and the collection, the use and the processing of the related user information need to comply with the related laws and regulations and standards of the related country and region.
The foregoing fig. 3 is merely a description of a general data interaction scenario for a data resource access method, and a specific process will be further described in the embodiments of fig. 4 to 10.
For easy understanding, please refer to fig. 4, fig. 4 is a flowchart illustrating a method for accessing data resources according to an embodiment of the present application. As shown in fig. 4, the method may be performed by a secure application server, which may correspond to the server 101 shown in fig. 1 described above. The method may specifically comprise the following steps S101-S103.
Step S101, receiving a ticket acquisition request for service data resources sent by a security application client, generating a first access ticket and a second access ticket associated with the service data resources based on equipment application data information when equipment application data information of terminal equipment where the security application client is located is acquired based on the ticket acquisition request, returning the first access ticket and the second access ticket as resource access tickets to the security application client, so that the security application client sends the first access ticket to an access agent in the security application client through a first data transmission channel when the security application client recognizes that the resource access ticket contains the first access ticket and the second access ticket, and sends equipment auxiliary information associated with the terminal equipment and the second access ticket to the access agent through a second data transmission channel;
The security transmission level of the first data transmission channel is higher than that of the second data transmission channel.
The method comprises the steps that a security application client side receives a request for accessing a service data resource, wherein the request for acquiring a ticket is generated by the security application client side based on equipment application data information and access verification data information of the access object, and the access verification data information is acquired from the service client side when the access agent intercepts a resource access request for the service data resource sent by the access object through the service client side, and the information verification is determined when the information verification is successful;
The access object may correspond to the above access user (e.g., user a), and the service client may be a certain application client, for example, a video client, a game client, a browser client, etc., which will not be limited herein.
When the secure application client obtains the authentication request sent by the access agent, the secure application client obtains a request parameter (for example, request parameter 1) in the authentication request, where the request parameter 1 may include, but is not limited to, a source IP or domain name, a source port, a destination IP or domain name, a destination port, a process identifier PID (Process ID) corresponding to the application, and the like. The access data information may include information in the request parameter 1.
In addition, it should be understood that the secure application client needs to collect information such as terminal information, login user information (i.e. access verification data information), application feature information, and the like when applying for the resource access ticket. The terminal information may be a terminal unique identifier, terminal software and hardware information, a compliance detection result, etc., the login user information (i.e. access verification data information) may be a user name, a user id, etc. of a user logging in the secure application client, and the application feature information may be a source IP or domain name, a source port, a destination IP or domain name, a destination port, and information such as MD5, a process path, a latest process modification time, copyright information, signature information, etc. of a process collected according to a process PID corresponding to the application. The login user is a user who logs in the secure application client, namely the access object. Further, the secure application client may send a ticket acquisition request for the service data information to the secure application server based on the access authentication data information and the device application data information (i.e., the terminal information, the user id and the user name of the login user, and the application feature information described above).
The security application server can receive a ticket acquisition request for service data resources sent by a security application client and acquire service access strategies configured for an access object in a service access database based on the ticket acquisition request, further, the security application server can acquire equipment application data information of terminal equipment from the ticket acquisition request and determine ticket generation influence factors associated with the access object based on the service access strategies and the equipment application data information, and in addition, the security application server can generate a first access ticket and a second access ticket based on the ticket generation influence factors, the equipment application data information and the access verification data information and can return the first access ticket and the second access ticket to the security application client as resource access tickets.
Wherein, the bill generation influencing factors refer to factors for the security application server to judge whether to respond to the resource access bill.
In the embodiment of the present application, the service access policy may be a zero-trust network access policy formulated by an enterprise administrator for an access object based on a person/device/application according to the embodiment illustrated in fig. 2. The zero trust network access policy will be further described herein, and an enterprise administrator may group users in an enterprise, for example, may group users in an enterprise into a group 1, a group 2, and a group 3, record information such as a user account number, a user post, and a user service age of each group user, and configure service sites that may be accessed and service resources corresponding to the service sites for each group user. The service sites herein may include, but are not limited to, sites where the QQ browser, weChat, enterprise WeChat, etc. can obtain service resources. It should be understood that the service site configured herein is a trusted application, and in addition, the service resource corresponding to the service site is an reachable area. It should be appreciated that the enterprise administrator may also categorize sensitivity for individual business sites, e.g., the QQ browser described above may be configured as a non-sensitive site, and enterprise WeChat and WeChat as highly sensitive sites. In addition, the enterprise administrator may also configure user rights among enterprise users. For example, the user of department a may be configured as a high-authority user, and the user of department B may be configured as a normal user (i.e., a low-authority user).
After the security application server determines the ticket generation influencing factor associated with the access object based on the service access policy and the device application data information, the specific implementation manner of generating the first access ticket and the second access ticket based on the ticket generation influencing factor, the device application data information and the access verification data information may include the following four cases.
In one implementation manner, it is understood that the access verification data information comprises object information of an access object, equipment information of terminal equipment and client information of a service client, the equipment application data information comprises resource characteristic information used for representing service data resources, the bill generation influencing factors comprise resource sensitivity of the service data resources, and the resource sensitivity is determined based on the configured resource sensitivity of the matched resource configuration characteristic information when the resource characteristic information is matched with the resource configuration characteristic information in a service access strategy;
The object information of the access object may include, but is not limited to, a user name and a user id of the access object login security for the client. The device information of the terminal device may include, but is not limited to, the model, manufacturer, firmware version, recall information and security hole of the terminal device, processor information, memory and hard disk capacity, etc. The client information of the service client may include, but is not limited to, MD5 of the process of the application, process path, process latest modification time, etc. The service client may be a certain application client, for example, a video client, a game client, a browser client, and the like.
The resource feature information may be feature information of the access object accessing the service data resource, for example, the service data resource accessed by the access object is document a, and at this time, the resource feature information may be a document name, a document size, and the like of the document a. Correspondingly, the sensitivity of the business data resource may refer to the sensitivity of the document a described above. As described above, the enterprise administrator may classify the sensitivity for each service site, and assume that the document A is an attendance table of the enterprise, and at this time, the enterprise administrator may find the resource configuration feature information matched with the document A in the zero-trust network access policy. For example, the resource configuration characteristic information may be that the document associated with the attendance is a non-sensitive resource, at which point it may be determined that document A is a non-sensitive resource. And then, assuming the document A is a financial condition table of the enterprise, at the moment, an enterprise administrator can search the resource configuration characteristic information matched with the document A in the zero-trust network access strategy. For example, the resource configuration characteristic information may be that the document associated with the finance is a highly sensitive resource, at which point document A may be determined to be a highly sensitive resource.
The security application server can acquire object information, equipment information and client information in access verification data information from a bill acquisition request, can perform first identity authentication on an access object based on the object information, the equipment information and the client information to obtain a first identity authentication result, further, when the first identity authentication result indicates that the access object has access rights, the security application server can sensitively detect resource sensitivity in a bill generation influence factor based on a resource sensitivity threshold indicated by a service access policy, and can send authentication indication information for performing second identity authentication on the service object to a security application client when the resource sensitivity in the bill generation influence factor is detected to reach the resource sensitivity threshold, and further, the security application server can receive secondary access data information sent by the service client through the security application client, and further can generate a first bill based on the first bill generation policy and the equipment application data information indicated by the service access policy when the secondary access data information is determined to be consistent with the access verification data information, and can generate a bill based on the second bill generation policy and the second application data information indicated by the service access policy.
It should be understood that, the above description has been made in detail on the access verification data information, and at this time, the identity verification module in the security detection service in the security application server in the embodiment corresponding to fig. 2 may verify the object information in the access verification data information, the device feasible module may verify the device information, and the application detection module may verify the client information. In this way, the security of the access object, the terminal device, and the application can be effectively ensured, thereby ensuring the reliability of the access process. Further, the resource sensitivity threshold may be a high sensitivity resource, and any service data resource that is a high sensitivity resource is a resource that reaches the resource sensitivity threshold. It may be understood that, at this time, the security application server may receive the secondary access data information sent by the service client through the security application client, and further may generate the first access ticket based on the first ticket generation policy and the device application data information indicated by the service access policy when determining that the secondary access data information is consistent with the access verification data information, and may generate the second access ticket based on the second ticket generation policy and the device application data information indicated by the service access policy. It should be understood that when the resource sensitivity of the service data resource reaches the resource sensitivity threshold, the access object is withdrawn from the secure application client, the access user is logged in again, the second access verification data information is sent to the secure application server, and the secure application client performs the second authentication. Only when the secondary authentication passes, the first access ticket and the second access ticket are generated, and the secondary authentication mechanism can further effectively ensure the security and reliability of the access object for accessing the business data resource.
In one implementation manner, it is understood that the access verification data information comprises object information of an access object, equipment information of a terminal device and client information of a service client, the equipment application data information comprises authority characteristic information used for representing access authority of the access object, and the ticket generation influencing factors comprise authority levels of the access authority;
The specific explanation of the access verification data information including the object information of the access object, the device information of the terminal device, and the client information of the service client may be referred to the above explanation of the access verification data information, and will not be described herein. In addition, the rights feature information may be information capable of characterizing access rights of the access object, and may include, but is not limited to, an account name of the access object, a service age of the access object, a job position of the access object, and the like. As described above, in addition, the enterprise administrator may configure user rights among enterprise users. For example, the user of department a may be configured as a high-authority user, and the user of department B may be configured as a normal user (i.e., a low-authority user). At this time, the enterprise administrator may find out the resource configuration feature information matching the document a in the zero trust network access policy. For example, the rights configuration feature information may be that the user of department A is a high-rights user, at which time it may be determined that the rights level of the access object is high-rights.
The security application server can obtain object information, equipment information and client information in the access verification data information from the bill obtaining request, can conduct first identity authentication on the access object based on the object information, the equipment information and the client information to obtain a first identity authentication result, further can conduct level detection on the authority level in the bill generation influence factor based on the authority level threshold indicated by the service access strategy when the first identity authentication result indicates that the access object has the access right, and can generate a first access bill based on the third bill generation strategy indicated by the service access strategy and the equipment application data information when the authority level in the bill generation influence factor reaches the authority level threshold, and generate a second access bill based on the fourth bill generation strategy indicated by the service access strategy and the equipment application data information.
It should be appreciated that the above process of performing the first authentication on the access object has been described in detail, and will not be described in detail herein. It should be appreciated that this effectively ensures the security of the access object, the terminal device and the application, thereby ensuring the reliability of the access procedure. Further, the authority level threshold may be a high authority, and any authority level detection for the query object is high authority, that is, the authority level threshold is reached. It may be understood that, at this time, the security application server may receive the secondary access data information sent by the service client through the security application client, and further may generate the first access ticket based on the third ticket generation policy and the device application data information indicated by the service access policy when determining that the secondary access data information is consistent with the access verification data information, and may generate the second access ticket based on the fourth ticket generation policy and the device application data information indicated by the service access policy.
In one implementation manner, it is understood that the access verification data information comprises object information of an access object, equipment information of terminal equipment and client information of a service client, the equipment application data information comprises access behavior information used for representing access behavior of the access object, and ticket generation influence factors comprise behavior deviation degree between the access behavior information and a normal access behavior baseline, wherein the normal access behavior baseline is formed by a security application server collecting and recording historical access behavior information of the access object;
The specific explanation of the access verification data information including the object information of the access object, the device information of the terminal device, and the client information of the service client may be referred to the above explanation of the access verification data information, and will not be described herein. Further, the access behavior information includes, but is not limited to, time, frequency, etc. at which the access object accesses the business data resource. For example, the number of accesses to document a by an access object (e.g., user a) is K times, and the access time is 3:00:00. The security application server continuously gathers the access time set of the user A to the document A, and the access time in the access time set is assumed to be distributed in 8:00:00-18:00:00. The normal visit behavior baseline formed at this time may be a visit behavior time baseline.
Optionally, the normal access behavior baseline may be formed by collecting and recording, by the security application server, access behaviors of an access object having the same attribute as the access object (for example, user a), where the same attribute may refer to a user group (for example, user group C) that is in the same working position as user a, and the security application server may continuously collect behavior feature information of access behaviors of users in user group C, so as to record access time of service data resources (for example, document a) in user group C. The normal visit behavior baseline formed by the visit behavior of the user group C at this time may be the visit time baseline of the user group C.
The security application server can acquire object information, equipment information and client information in access verification data information from a bill acquisition request, can conduct first identity authentication on an access object based on the object information, the equipment information and the client information to obtain a first identity authentication result, further can compare the behavior deviation degree in bill generation influence factors based on a behavior deviation degree threshold indicated by a service access policy to obtain a first comparison result when the first identity authentication result indicates that the access object has access rights, and further can send authentication indication information for conducting second identity authentication on the service object to the security application client when the first comparison result indicates that the behavior deviation degree in the bill generation influence factors reaches the behavior deviation degree threshold, and further can receive secondary access data information sent by the service client through the security application client, generate a first bill access policy based on fifth generation, equipment application data indicated by the service access policy and generate a sixth bill access policy when the second access data information is determined to be consistent with the access verification data information.
It should be appreciated that the above process of performing the first authentication on the access object has been described in detail, and will not be described in detail herein. It should be appreciated that this effectively ensures the security of the access object, the terminal device and the application, thereby ensuring the reliability of the access procedure. Further, assuming that the normal access behavior baseline is the baseline formed by the access time, the behavior deviation degree may refer to a difference value of the access time, and the deviation degree threshold configured in the zero-trust network access policy may be 3 hours. Assuming that the access time of the normal access behavior baseline is 8:00:00-18:00:00, the access time of the access object is 3:00:00. At this time, it may be determined that the behavior deviation degree of the access behavior of the access object is 5 hours, that is, the behavior deviation degree threshold is reached. It may be understood that, at this time, the security application server may receive the secondary access data information sent by the service client through the security application client, and further may generate the first access ticket based on the fifth ticket generation policy and the device application data information indicated by the service access policy when determining that the secondary access data information is consistent with the access verification data information, and may generate the second access ticket based on the sixth ticket generation policy and the device application data information indicated by the service access policy. It should be understood that when the deviation between the access behavior of the access object and the behavior baseline of the normal access behavior reaches the behavior deviation threshold, the access object is logged out of the secure application client, the access user is logged in again, the second access verification data information is sent to the secure application server, and the secure application client performs the second authentication. Only when the secondary authentication passes, the first access ticket and the second access ticket are generated, and the secondary authentication mechanism can further effectively ensure the security and reliability of the access object for accessing the business data resource.
In one implementation manner, it should be understood that the access verification data information includes object information of an access object, device information of a terminal device and client information of a service client;
the specific explanation of the access verification data information including the object information of the access object, the device information of the terminal device, and the client information of the service client may be referred to the above explanation of the access verification data information, and will not be described herein. In addition, the environmental status information of the environmental status of the terminal device may include, but is not limited to, a device security level of the terminal device, a network location of the terminal device, whether the terminal device has a vulnerability, and the like.
The security application server can acquire object information, equipment information and client information in access verification data information from a bill acquisition request, can conduct first identity authentication on an access object based on the object information, the equipment information and the client information to obtain a first identity authentication result, further can compare environmental state information in bill generation influence factors based on an environmental state threshold indicated by a service access strategy to obtain a second comparison result when the first identity authentication result indicates that the access object has access rights, and further can send authentication indication information for conducting second identity authentication on the service object to the security application client when the second comparison result indicates that the environmental state information in the bill generation influence factors reaches the environmental state threshold.
It should be appreciated that the above process of performing the first authentication on the access object has been described in detail, and will not be described in detail herein. It should be appreciated that this effectively ensures the security of the access object, the terminal device and the application, thereby ensuring the reliability of the access procedure. Furthermore, the enterprise administrator may configure an environmental status threshold based on a zero trust network access policy, where the environmental status threshold may be that the terminal device has a security hole, and the network location is outside a company corresponding to the enterprise, and so on. Assuming that the device state of the terminal device has two security holes at this time, it may be determined that the device environment state of the terminal device reaches an environment state threshold. It may be understood that, at this time, the security application server may receive the secondary access data information sent by the service client through the security application client, and further may generate the first access ticket based on the seventh ticket generation policy and the device application data information indicated by the service access policy when determining that the secondary access data information is consistent with the access verification data information, and may generate the second access ticket based on the eighth ticket generation policy and the device application data information indicated by the service access policy. It should be understood that when the environmental state of the terminal device changes to reach the environmental state threshold, the access object is withdrawn from the secure application client, the access user is logged in again, the secondary access verification data information is sent to the secure application server, and the secure application client performs secondary authentication. Only when the secondary authentication passes, the first access ticket and the second access ticket are generated, and the secondary authentication mechanism can further effectively ensure the security and reliability of the access object for accessing the business data resource.
Taking the security application server to generate the first access ticket and the second access ticket as an example, the specific process may be as follows, where the security application server may use the device application data information as a first basic data field, and further perform a first marking operation on the first basic data field to obtain a first marking field, and may generate a first type of access ticket based on a first ticket generation policy indicated by the service access policy, and may use the first type of access ticket as the first access ticket; further, the security application server may use the device application data information as a second basic data field, further perform a second marking operation on the second basic data field to obtain a second marking field, generate a second type access ticket based on a second ticket generating policy indicated by the service access policy, and use the second type access ticket as the second access ticket.
It should be understood that, the device application data information includes the unique identifier of the terminal, the software and hardware information of the terminal, the compliance detection result, the name of the login user (i.e. the access object), the account information, the source IP or domain name, the source port, the destination IP or domain name, the destination port, and the MD5 of the process collected according to the PID of the process corresponding to the application, the process path, the latest modification time of the process, the copyright information, and the signature information. Therefore, the first basic data field is the application data information of the device, and the information can be arranged randomly. In addition, the first marking operation may be marking a header field in the first basic data field, for example, marking the header field as 0, and it should be understood that the first marking field is a field in which the header field is marked as 0.
Similarly, the second basic data field is the application data information of the device, and the information can be arranged randomly. Similarly, the second marking operation may be marking a header field in the second basic data field, for example, marking the header field as 1, where it should be understood that the second marking field is a field with a header field marked as 1.
It should be appreciated that the above-described process is performed at a ticket center in a secure application server as shown in fig. 2, further that the ticket center contains a first ticket generation policy and a second ticket generation policy indicated by a traffic access policy (e.g., a zero trust network access policy). The first bill generation strategy and the second bill generation strategy can be the same strategy or different strategies. Specifically, the first ticket generation policy may be oauth2.0, and the second ticket generation policy may be JWT (JSON Web Token). It should be understood that oauth2.0 and JWT both refer to methods of configuring network access credentials (i.e., resource access tickets) for access with access rights. In the embodiment of the application, the first bill generation strategy and the second bill generation strategy are not limited.
It should be noted that the first type of access ticket and the second type of access ticket have similar appearance characteristics, for example, the same length, and are both composed of specific case letters and numbers, or special characters. In addition, ticket identification policies for identifying the first type of access ticket and the second type of access ticket are commonly agreed between the security application server and the security application client (including the access proxy). Specifically, when the subsequent security application server receives the bill verification request, the bill in the bill verification request can be analyzed, so that bill identification is performed. For example, the identification may be performed based on the first tag field and the second tag field, and specifically, the ticket including the first tag field may be identified as a first type of access ticket, and the ticket including the second tag field may be identified as a second type of access ticket. The specific process of analyzing the ticket in the ticket checking request by the security application server, thereby identifying the ticket, will be described in detail in the following embodiments, and will not be described in detail here.
Note that the security application client also performs ticket identification on the resource access ticket, where a specific process will be described in detail in the following embodiments. In addition, the specific process of the security application client sending the first type of access ticket to the access agent through the first data transmission channel, and sending the second type of access ticket to the access agent through the second data transmission channel will be described in detail in the following embodiments.
Wherein, optionally, the number of the second type of access ticket may be multiple, and is configured by a service data policy (i.e. a zero trust network access policy), and the embodiment of the present application will not limit the number of the second type of access ticket.
Specifically, referring to fig. 5, fig. 5 is a schematic diagram of generating a resource access ticket according to an embodiment of the present application. After the secure application server receives the resource access request, the secure application server acquires a resource access request (namely application process information) initiated by an access object from equipment data information in the resource access request, and then issues an access ticket based on the ticket generation influencing factors, the equipment application data information and the access verification data information. As shown, the policy center determines process 1 for the process PID in the device application data information, generates ticket a corresponding to process 1, ticket B corresponding to process 1, and ticket N corresponding to process 1. The ticket a corresponding to the generated process 1 is a first type access ticket, the ticket B corresponding to the process 1 is a second type access ticket. It should be appreciated that process 1 may represent information such as when an access object initiates access to a business data resource, a resource name of the business data resource, and the like.
Optionally, the process that the security application server generates the first type of access ticket based on the third ticket generating policy and generates the second type of access ticket based on the fourth ticket generating policy, the process that the security application server generates the first type of access ticket based on the fifth ticket generating policy and generates the second type of access ticket based on the sixth ticket generating policy, and the process that the security application server generates the first type of access ticket based on the seventh ticket generating policy and generates the second type of access ticket based on the eighth ticket generating policy may refer to the process that the security application server generates the first type of access ticket based on the first ticket generating policy and generates the second type of access ticket based on the second ticket generating policy, which will not be described herein.
Further, the security application server issues the ticket as a resource access ticket to the security application client, where the related processing of the security application client will be described in detail in the following embodiments, and will not be described in detail herein.
Step S102, receiving a bill verification request sent by an access agent through an intelligent gateway, and respectively carrying out bill verification on a first bill to be verified and a second bill to be verified carried in the bill verification request to obtain a first bill verification result associated with the first bill to be verified and a second bill verification result associated with the second bill to be verified;
it should be understood that, the intelligent gateway is deployed between the service client in the terminal device and the service server storing the service data resource, and may refer to the zero trust gateway in the corresponding embodiment of fig. 2.
It should be appreciated that the ticket identification operation may be performed after receiving a ticket verification request sent by the access agent through the intelligent gateway. The security application server can acquire a first bill to be identified and a second bill to be identified from a bill verification request, further can perform first bill identification operation on the first bill to be identified based on a bill identification strategy to obtain a first bill identification result, and can determine that the first bill to be identified is a first type access bill and take the first type access bill as the first bill to be verified if the first bill identification result indicates that a first mark field is identified in the first bill to be identified, and further can perform second bill identification operation on the second bill to be identified based on the bill identification strategy to obtain a second bill identification result, and can determine that the second bill to be identified is a second type access bill and take the second type access bill as the second bill to be verified if the second bill identification result indicates that a second mark field is identified in the second bill to be identified.
It should be understood that, in the above-mentioned ticket identification policy is commonly agreed upon by the secure application client and the secure application server, as in the above-mentioned step S101, the first type of access ticket includes a first flag field (i.e., a field with a header field marked with 0) and a second flag field (i.e., a field with a header field marked with 1). The ticket identification policy is specifically expressed as identifying a ticket containing a first tag field as a first type of access ticket and identifying a ticket containing a second tag field as a second type of access ticket.
Specifically, referring to fig. 6, fig. 6 is a schematic diagram of performing ticket verification and obtaining a ticket verification result according to an embodiment of the present application. As shown in fig. 6, the method may be performed by a secure application server, which may be secure application server 30B in the corresponding embodiment of fig. 3. The method may specifically comprise the following steps S201-S208.
Step S201, performing a first information analysis operation on a first bill to be checked to obtain first configuration check information associated with a first type of access bill;
The first configuration verification information may include the above-mentioned terminal device data information, that is, the unique identifier of the terminal, the terminal software and hardware information, the compliance detection result, the name and account information of the login user (i.e., the access object), the source IP or domain name, the source port, the destination IP or domain name, the destination port, and the MD5 of the process collected according to the process PID corresponding to the application, the process path, the latest modification time of the process, the copyright information, and the signature information. The method can also comprise the information of the maximum use times of the bill of the first bill to be checked, the effective time of the bill and the like.
Step S202, carrying out bill verification on a first bill to be verified based on first configuration verification information to obtain a first bill verification result;
The security application server detects the first configuration check information at a security detection position, if the user information in the first configuration check information is verified to be credible, the process PID is safe, and the compliance detection is passed, the first configuration check information is judged to have validity, and whether the ticket effective time of the first ticket to be checked is expired and whether the ticket still has the use times or not is synchronously checked. If the information is checked, the first bill to be checked can be determined to be the first access bill. Otherwise, if any item is not verified, the first ticket to be verified is determined to be not the first access ticket.
Step S203, performing a second information analysis operation on the second bill to be checked to obtain second configuration check information associated with the second type access bill;
The second configuration verification information may include the above-mentioned terminal device data information, that is, the unique identifier of the terminal, the terminal software and hardware information, the compliance detection result, the name and account information of the login user (i.e., the access object), the source IP or domain name, the source port, the destination IP or domain name, the destination port, and the MD5 of the process collected according to the process PID corresponding to the application, the process path, the latest modification time of the process, the copyright information, and the signature information. And the method can also comprise the information of the maximum use times of the bill of the second bill to be checked, the effective time of the bill and the like.
Step S204, carrying out bill verification on the second bill to be verified based on the second configuration verification information and the equipment auxiliary information to obtain a second bill verification result;
The device auxiliary information is obtained from a terminal registry by the security application client after receiving the resource access ticket based on the information acquisition component, wherein the terminal registry comprises machine information, software and hardware information of the terminal device and login information (namely account, id and the like of an access object) of the access object.
And if the second bill checking result indicates that the second configuration checking information passes the checking, and the second configuration checking information is consistent with the equipment auxiliary information, determining that the second bill to be checked is a second access bill. Specifically, the security application server detects the second configuration verification information at a security detection position, if the user information in the second configuration verification information is verified to be credible, the process PID is safe, and the compliance detection is passed, the second configuration verification information is judged to have validity, and whether the ticket valid time of the second ticket to be verified is expired and whether the ticket still has the use times is synchronously verified. In addition, the device auxiliary information and the information in the second configuration verification information are compared, and if the comparison results are consistent and the information verification passes, the second ticket to be verified can be determined to be the second access ticket. Otherwise, if any item does not pass, the second ticket to be checked is determined to be a non-second access ticket.
Step S205, if the first bill checking result indicates that the first bill to be checked is a first access bill and the second bill checking result indicates that the second bill to be checked is a second access bill, the intelligent gateway is informed to forward the resource access request to the service server when acquiring the resource access request sent by the service client intercepted by the access agent;
It should be understood that if the first ticket checking result indicates that the first ticket to be checked is the first access ticket, and the second ticket checking result indicates that the second ticket to be checked is the second access ticket, this means that the resource access ticket is issued at the security application server, and the ticket to be checked forwarded by the security application client through the access proxy and the intelligent gateway is not tampered by an attacker in the transmission process, that is, the access process is secure. Therefore, the access agent can send the resource access request to the intelligent gateway, and the intelligent gateway forwards the resource access request to the service server, so that the service server returns the service data resource to the intelligent gateway. Further, the intelligent gateway returns the service data resource to the service client through the access proxy, so that the access object obtains the service data resource. This means that the resource access process is completely finished, and the access process is safe and reliable.
Step S206, if the first bill verification result indicates that the first bill to be verified is a first access bill and the second bill verification result indicates that the second bill to be verified is not a second access bill, notifying the security application client to interrupt the connection between the access agent and the intelligent gateway;
The second ticket checking result indicates that the second ticket to be checked is not the second access ticket, that is, the second configuration checking information is not checked, or the device auxiliary information is inconsistent with the second configuration checking information, which means that the resource access ticket is issued at the security application server, and the ticket to be checked forwarded by the security application client through the access agent and the intelligent gateway has possibility of being tampered by an attacker in the transmission process, that is, the access process is unsafe. Thus, the security application server takes security defenses, including informing the security application client to interrupt the connection between the access proxy and the intelligent gateway, forcing the access object to exit the application (i.e., the application that initiated the resource access request), and so on. In the embodiment of the present application, specific operations of the security defense operation described above will not be limited.
It should be understood that the valid time of the second bill to be verified and the maximum use number of the bill are verified, if the bill is expired or the maximum use number is 0, the bill is not verified, and therefore, the security application server adopts the security defensive measures as described above.
Step S207, if the first bill verification result indicates that the first bill to be verified is not the first access bill, and the second bill verification result indicates that the second bill to be verified is the second access bill, notifying the security application client to interrupt the connection between the access agent and the intelligent gateway;
The first ticket checking result indicates that the first ticket to be checked is not the first access ticket, that is, the first configuration checking information is not checked, which means that the resource access ticket is issued at the security application server, and the ticket to be checked forwarded by the security application client through the access agent and the intelligent gateway has the possibility of being tampered by an attacker in the transmission process, that is, the access process is unsafe. Thus, the security application server takes security defensive measures as in step S206 described above.
It should be understood that the valid time and the maximum number of times of using the ticket are also checked, and if the ticket has expired or the maximum number of times of using is 0, the ticket is checked not to pass, so the security application server adopts the security defense measures as described above.
Step S208, if the first bill verification result indicates that the first bill to be verified is not the first access bill and the second bill verification result indicates that the second bill to be verified is not the second access bill, the security application client is informed to interrupt the connection between the access agent and the intelligent gateway.
It should be understood that the first ticket checking result indicates that the first ticket to be checked is not the first access ticket, and the second ticket checking result indicates that the second ticket to be checked is not the second access ticket, which also means that the resource access ticket is issued at the secure application server, and the ticket to be checked forwarded by the secure application client through the access proxy and the intelligent gateway has the possibility of being tampered with by an attacker in the transmission process, i.e. the access process is unsafe. Thus, the security application server takes security defensive measures as in step S206 described above.
Optionally, if the security application server parses the second ticket to be verified, if the parsing of the second ticket to be verified fails, the second access ticket may be tampered by an attacker, and at this time, the security application server takes the security defense measures in step S206.
Optionally, in the embodiment of the present application, when the security application server receives the ticket checking request and further performs ticket identification on the ticket carried in the ticket checking request, once the second type of access ticket is identified, the security application server may notify the security application client to limit the access authority of the access object, and may further perform security defense operations such as identity verification on the access object.
Step S103, when the first bill checking result indicates that the first bill to be checked is a first access bill and the second bill checking result indicates that the second bill to be checked is a second access bill, the intelligent gateway is informed to forward the resource access request to the service server when acquiring the resource access request sent by the service client intercepted by the access agent;
wherein the resource access request is used to instruct the service server to authorize the service client to access the service data resource, e.g. an access request for document a (i.e. the service data resource) initiated by the access object (e.g. user a described above) via the service application (e.g. browser B).
The specific implementation process of step S103 may be referred to the description in step S205, and will not be described herein.
Therefore, in the embodiment of the application, the security application server can receive the ticket acquisition request for the service data resource sent by the security application client, generate the first access ticket and the second access ticket associated with the service data resource based on the device application data information when acquiring the device application data information of the terminal device where the security application client is located based on the ticket acquisition request, and return the first access ticket and the second access ticket as resource access tickets to the security application client, so that the security application client can send the first access ticket to an access proxy in the security application client through a first data transmission channel when recognizing that the resource access ticket contains the first access ticket and the second access ticket, and send the device auxiliary information associated with the terminal device and the second access ticket to the access proxy through a second data transmission channel, wherein the security transmission grade of the first data transmission channel is higher than that of the second data transmission channel, and the security application server transmits the first access ticket and the second access ticket through the second data transmission channel with a lower security grade. This means that no encryption processing will be performed on the second type of access ticket or a low level encryption processing will be performed on the second type of access ticket. Therefore, when an attacker intends to tamper the access ticket, the attacker can misuse the second access ticket as the first access ticket issued by the server to induce the attacker to tamper the second access ticket, so that the tamper behavior of the attacker is judged when the second access ticket is checked later. Further, the security application server can receive a bill verification request sent by the access agent through the intelligent gateway, respectively perform bill verification on a first bill to be verified and a second bill to be verified carried in the bill verification request, obtain a first bill verification result associated with the first bill to be verified and a second bill verification result associated with the second bill to be verified, and further, when the first bill verification result indicates that the first bill to be verified is the first access bill and the second bill verification result indicates that the second bill to be verified is the second access bill, notify the intelligent gateway to forward the resource access request to the service server when the resource access request sent by the service client intercepted by the access agent is acquired. Specifically, when the second type access ticket is checked, the related information of the second type access ticket generated through checking can be compared with the auxiliary information of the equipment, and when the comparison result indicates inconsistent, the security application server can effectively discover the falsification behavior of an attacker aiming at the second type access ticket, so that the access authority of an access object is disabled, the connection between the access agent and the intelligent gateway is interrupted, and the access is interrupted. Therefore, the security application server can effectively find the tamper behavior of the attack on the ticket and the illegal access behavior of the service data resource by issuing the first access ticket and the second access ticket, and can timely take security defense measures to interrupt the access session when finding the tamper behavior, thereby ensuring the security and reliability of the access object when accessing the service data resource.
Further, referring to fig. 7, fig. 7 is a flowchart of another data resource access method according to an embodiment of the present application. As shown in fig. 7, the method may be performed by a terminal device running a secure application client, which may be the user terminal 30A in the embodiment corresponding to fig. 3, and the secure application client may correspond to the secure application client 301a shown in fig. 3. The method may specifically comprise the following steps S301-S304.
Step S301, sending a bill acquisition request for business data resources to a security application server;
the specific implementation of step S301 may be referred to the description of the embodiment corresponding to fig. 3, and will not be described herein.
Step S302, receiving a resource access ticket returned by the security application server, and carrying out ticket identification on a first access ticket and a second access ticket carried in the resource access ticket to obtain a ticket identification result;
Wherein, it should be understood that the first access ticket and the second access ticket are generated by the security application server based on the device application data information of the terminal device where the security application client is located carried in the ticket acquisition request;
The security application server sends the first type of access ticket in the resource access ticket to the security application client, and network communication security between the security application client and the security application server is strictly ensured. First, to avoid using a protocol known to have a security hole, https bidirectional authentication is implemented using the latest transport layer security protocol (Transport Layer Security, TLS) version (such as TLS 1.3) and a secure encryption suite at both the secure application client and the secure application server, thereby implementing communication security between the terminal device and the secure application server. Further, SSL/TLS is configured in a Web server (e.g., nginnx) of the secure application server and server certificates are installed, while client certificate verification is enabled and trusted CA certificates are added to the trust list. Thus, the secure application server will require the secure application client to provide a valid client certificate during the TLS handshake. The CA certificate is issued by the authentication agency server, is a technical basic guarantee of digital signature, and can effectively ensure that information cannot be tampered in the communication process. Further, at the secure application client side, the certificate or public key of the secure application server is embedded into the application program in the secure application client, and secure storage of the certificate or public key is ensured in the encryption persistence library of the terminal start to write. When an HTTPS request is initiated, the security application client carries a client certificate and performs identity verification with the security application server. When TLS handshake is performed, the secure application client and the secure application server mutually verify the certificates of the other party, and in the secure application client, custom certificate verification logic is realized. When a TLS connection is established with the secure application server, the secure application client will verify whether the certificate provided by the secure application server matches the embedded certificate or public key. Only if the credentials match, the secure application client will accept the credentials of the secure application server and establish a secure connection. A secure communication channel is established only if both certificates are valid and trusted. Similarly, to improve the network communication security between the secure application client and the secure application server, the secure application client certificate is stored in the encrypted persistent library of the terminal start to write, so that the secure storage of the certificate is ensured, and leakage or abuse is prevented.
The security application client can receive a resource access ticket returned by the security application server, acquire a first access ticket and a second access ticket from the resource access ticket, further perform a first ticket identification operation on the first access ticket based on a ticket identification policy to obtain a first ticket identification result, wherein it is understood that the ticket identification policy is jointly determined by the security application client and the security application server, it is understood that the security application client can determine that the first access ticket is a first type of access ticket if the first ticket identification result indicates that a first tag field is identified in the first access ticket, it is understood that the first tag field is obtained by performing a first tag operation on a first basic data field, the first basic data field is equipment application data information, further perform a second ticket identification operation on the second access ticket based on the ticket identification policy to obtain a second ticket identification result, and further determine that the security application client can determine that the second access ticket is a first type of access ticket, if the second tag field is identified in the second access ticket, and the second tag field is understood as second basic data field.
In the foregoing embodiments, the security application server performs the process of identifying the ticket in the request to be verified in the embodiment corresponding to fig. 4, and will not be described in detail herein.
Step S303, when the bill identification result indicates that the first access bill is the first type access bill, the first type access bill is sent to an access agent in the security application client through a first data transmission channel;
it should be appreciated that after the secure application client obtains and recognizes the first type of access ticket (i.e., the first access ticket), components in the secure application client need to communicate and share the ticket by way of inter-process communication, etc. Taking communication between the secure application client and the access agent as an example, in order to promote the security of the communication (IPC) between the secure application client and the access agent, in addition to adopting a secure IPC mechanism, encrypting the transmitted data by adopting a relatively high-strength cryptographic algorithm (for example, AES symmetric encryption algorithm) and a mode (for example, GCM mode), and enhancing the communication security in combination with other modes, including using a key negotiation algorithm (for example, diffie-Hellman key exchange) to generate a shared key before establishing an IPC channel between the secure application client components. When the IPC channel is established, a session key is generated based on the dynamically negotiated shared key, which is used to encrypt and decrypt communication data, and a Message Authentication Code (MAC) which ensures that the data is not tampered with during transmission. And in the long-time IPC communication, a mechanism for updating the dynamic negotiation key at regular intervals is combined, so that the risk of cracking the key by an attacker is further reduced. Finally, programs on two sides of the IPC channel mutually check digital signatures, executable file hashes and the like of the opposite-end programs, so that the third-party programs are prevented from being forged into legal communication processes.
In addition, in order to improve the difficulty of cracking the secure communication mechanism in the secure application client by an attacker, the critical code segments related to the zero-trust network access system are shelled. The code of the original program can be confused by using the shell adding tool, so that the code is more difficult to understand in static analysis, and the difficulty of an attacker in analyzing the program is increased. Further, anti-debug and anti-probe functions are included in the shell program to prevent an attacker from using a debugger or probe to analyze the shell program. In other aspects, a terminal encryption (white box) persistence library is used for storing sensitive data including notes, a random key is used for encrypting the sensitive data in a memory, a ciphertext is stored in the memory, and the ciphertext is decrypted when in use and the plaintext is destroyed. It should be understood that the first data transmission channel is the secure transmission channel between the secure application client and the access agent.
It follows that the security of the storage of the first access ticket in the secure application client and the security of the transfer of the first access ticket between the secure application client and the access agent.
Step S304, when the bill identification result indicates that the second access bill is the second type access bill, acquiring equipment auxiliary information associated with the terminal equipment, transmitting the second type access bill and the equipment auxiliary information to an access proxy through a second data transmission channel, so that when the access proxy acquires the first type access bill and the second type access bill, the first type access bill is used as a first bill to be identified, the second type access bill is used as a second bill to be identified, generating a bill verification request based on the first bill to be identified, the second bill to be identified and the equipment auxiliary information, and transmitting the bill verification request to a security application server through an intelligent gateway.
The number of the second access notes is N, and N is a positive integer;
The security application client can store the second type of access ticket in a file storage system in the security application client and can take the second type of access ticket as an original storage ticket, further, the security application client can acquire equipment auxiliary information associated with the terminal equipment, can send the second type of access ticket, the equipment auxiliary information and a file path of the file storage system to the access proxy through a second data transmission channel, so that the access proxy can store S second type of access tickets in a memory as to-be-selected tickets when acquiring the second type of access ticket, wherein S is a positive integer smaller than N, and in addition, the security application client can send a ticket checking request generation instruction to the access proxy, so that when the access proxy receives the ticket checking request generation instruction, the first type of access ticket is taken as a first to-be-identified ticket, one ticket is selected as the second to-be-identified ticket, a ticket checking request is generated based on the first to-be-identified ticket, the second to-be-identified ticket and the equipment auxiliary information, and the ticket checking request is sent to the security application server through the intelligent gateway.
Wherein it should be appreciated that no security reinforcement or low level reinforcement (as compared to the first data transmission channel described above) is done during the process of the security application server sending the second type of access ticket, i.e. the second access ticket, to the security application client.
The specific process of the secure application client obtaining the device auxiliary information associated with the terminal device may be that the secure application client reads the terminal registry information in the secure application client through an information obtaining module configured in the secure application client, so as to obtain the device auxiliary information. The device auxiliary information may include machine information (e.g., machine name, device version, etc.) of the terminal device, software and hardware information (e.g., operating system type, operating system version information, and CPU model, etc. of the terminal device), login user (i.e., access object) information (e.g., user name, user account number), etc.
Further, the process of sending the second type of access ticket (i.e. the second access ticket) and the device auxiliary information to the access proxy by the security application server does not take any security reinforcement measures or takes a lower-level reinforcement method through the inter-process communication channel. For example, in the process of storing the second type access ticket in the local file system, encryption processing is not performed or symmetric encryption processing is performed on the file content by using a simple block encryption mode (for example, an ECB mode) by using a fixed short key, processing logic does not perform shell processing, the second type access ticket is transmitted in plaintext between processes, and a peer program is not checked. Here, the inter-process communication channel between the secure application server and the access agent is the second data transmission channel.
It will thus be appreciated that the security level of the first data transmission channel is higher than the security level of the second data transmission channel.
Further, referring to fig. 8, fig. 8 is a schematic diagram of a security application client processing a resource access ticket according to an embodiment of the present application. As shown in fig. 8, in the embodiment of the present application, the secure application server 80A may be a server corresponding to the secure application client, and the secure application server 80A may be the secure application server 30B in fig. 3. As shown in fig. 8, secure application client 80B may correspond to secure application client 301a as shown in fig. 3. Access agent 80C shown in fig. 8 may correspond to access agent 301b shown in fig. 3.
Specifically, the ticket center in the secure application server 80A sends a resource access ticket 801a to the secure application client 80B. Further, the secure application client 80B receives the resource access ticket 801a, further obtains the resource access ticket 801a, and performs a ticket identification operation on the resource access ticket 801a based on a ticket identification policy, thereby identifying and obtaining an access ticket 802a and an access ticket 802B in the resource access ticket 801a. It should be understood that, the access ticket 802a may correspond to the first type of access ticket, the access ticket 802b may correspond to the second type of access ticket, and the specific implementation of the ticket identification operation on the resource access ticket 801a may be described in the above step S302 and step S303. Further, the secure application client 80B obtains the information 802c and stores the access ticket 802a and the access ticket 802B in the file storage system 80a in an encrypted manner. It should be understood that the information 802c may correspond to the device auxiliary information, where the access ticket 802b may correspond to the original cache ticket (i.e., the second type of access ticket with the number N) and the specific implementation process of acquiring the information 802c may be described in the step S303.
Further, the secure application client 80B sends an access ticket 802a (i.e., a second type of access ticket) to the access agent 80C via the transmission channel 81a, and simultaneously sends the access ticket 802C, the information 802C, and the file path of the file storage system 80a to the access agent 80C via the transmission channel 81B. Among them, it should be understood that the transmission channel 81a herein may correspond to the above-described first data transmission channel, and the transmission channel 81b may correspond to the above-described second data transmission channel.
Based on the foregoing fig. 8, further, please refer to fig. 9, fig. 9 is a schematic diagram of processing a resource access ticket by an access agent according to an embodiment of the present application. As shown in fig. 9, access agent 90A may correspond to access agent 80C shown in fig. 8 in an embodiment of the application. Further, the intelligent gateway 90B shown in fig. 9 may be a network interconnection device associated with a secure application client (e.g., the secure application client 80B shown in fig. 8 described above) and may correspond to the intelligent gateway 30C shown in fig. 3. The secure application server 90C shown in fig. 9 may correspond to the secure application server 80A corresponding to fig. 8 described above.
Specifically, the access agent 90A acquires the access ticket 901a, the access ticket 901b, the information 901c, and the file path of the file storage system 90A, and stores the second access ticket 901b in number S as a ticket to be selected 901d in the memory. It should be understood that, here, the access ticket 901a may correspond to the access ticket 802a (i.e., the first type of access ticket) sent through the transmission channel 81a in the embodiment corresponding to fig. 8, the access ticket 901b may correspond to the access ticket 802b (i.e., the second type of access ticket) sent through the transmission channel 81b in the embodiment corresponding to fig. 8, and the information 901c may correspond to the information 802c (i.e., the device auxiliary information) sent through the transmission channel 81b in the embodiment corresponding to fig. 8. The file path of the file storage system 90a may correspond to the file path of the file storage system 80a sent through the transmission channel 81b in the embodiment corresponding to fig. 8.
Further, the access agent 90A uses the access ticket 901a as the access ticket 902a, selects one ticket from the tickets to be selected 901d as the access ticket 902B, generates a ticket verification request 903a based on the access ticket 902a, the access ticket 902B and the information 901c, and sends the ticket verification request to the intelligent gateway 90B. Further, the intelligent gateway 90B sends the ticket verification request 903a to the security application server 90C, and the security application server 90C performs further verification based on the ticket verification request 903 a. It should be understood that, the specific process of the security application server 90C for verifying the ticket may be referred to the specific description in the embodiment corresponding to fig. 4, which will not be described herein.
It should be appreciated that the access ticket 802a and the access ticket 802B stored in the secure application client 80B as shown in fig. 8 above will each be associated with a corresponding business application (e.g., application B1) and business data resource (e.g., resource B2).
Therefore, when the access object generates a resource access request by accessing the resource B2 through the application B1 next time, the access agent 90A may directly acquire a first type of access ticket (i.e., the access ticket 802B as shown in fig. 8) from the file storage system of the secure application client (e.g., the file storage system 80A of the secure application client 80B) when intercepting the resource access request, select one ticket (i.e., a second type of access ticket) from the to-be-selected tickets 901d in the own memory, and generate a new ticket verification request (different from the ticket verification request 903 a) in combination with the above information 901 c.
Optionally, after each selection of one ticket from the tickets 901d to be selected, the access agent 90A performs a subtraction process on the ticket 901d to be selected, and when the number of accesses reaches S times, that is, the ticket 901d to be selected is decremented to 0, which means that the second type of access ticket does not exist in the memory of the access agent 90A. At this time, the access agent 90A reads the second type of access ticket (e.g., the access ticket 802b in fig. 8) stored in the secure application client based on the file path of the file storage system 90A, and further selects one ticket from the access tickets 802b, and generates a ticket verification request in combination with the access ticket 901a and the information 901 c.
It should be appreciated that by storing tickets in the secure application client and in the access proxy, it is possible to avoid sending ticket acquisition requests to the secure application server when the access object initiates a resource access request to the same service data resource (e.g., the resource B2) through the same service application (e.g., the application B1), thereby reducing complexity of data resource access and improving efficiency of data resource access.
Therefore, in the embodiment of the application, the security application server can receive the ticket acquisition request for the service data resource sent by the security application client, when the device application data information of the terminal device where the security application client is located is acquired based on the ticket acquisition request, the first access ticket and the second access ticket associated with the service data resource can be generated based on the device application data information, and the first access ticket and the second access ticket can be returned to the security application client as resource access tickets, so that the security application client can send the first access ticket to an access agent in the security application client through a first data transmission channel when the resource access ticket is identified to contain the first access ticket and the second access ticket, and send the device auxiliary information and the second access ticket associated with the terminal device to the access agent through a second data transmission channel, wherein the security application server simultaneously sends the first access ticket and the second access ticket and transmits the second access ticket through the second data transmission channel with lower security transmission level. Because the security transmission level of the first data transmission channel is higher than that of the second data transmission channel, when an attacker intends to tamper the access ticket, the attacker can misuse the first access ticket issued by the second access ticket as a server to induce the attacker to tamper the second access ticket, so that the tampering behavior of the attacker can be effectively judged in the subsequent verification process of the second access ticket. Further, the security application server can receive a bill verification request sent by the access agent through the intelligent gateway, respectively perform bill verification on a first bill to be verified and a second bill to be verified carried in the bill verification request, obtain a first bill verification result associated with the first bill to be verified and a second bill verification result associated with the second bill to be verified, and further, when the first bill verification result indicates that the first bill to be verified is the first access bill and the second bill verification result indicates that the second bill to be verified is the second access bill, notify the intelligent gateway to forward the resource access request to the service server when the resource access request sent by the service client intercepted by the access agent is acquired. Specifically, when the second type access ticket is checked, the related information of the second type access ticket generated through checking can be compared with the auxiliary information of the equipment, and when the comparison result indicates inconsistent, the security application server can effectively discover the falsification behavior of an attacker aiming at the second type access ticket, so that the access authority of an access object is disabled, the connection between the access agent and the intelligent gateway is interrupted, and the access is interrupted. Therefore, the security application server can effectively find the tamper behavior of the attack on the ticket and the illegal access behavior of the service data resource by issuing the first access ticket and the second access ticket, and can timely take security defense measures to interrupt the access session when finding the tamper behavior, thereby ensuring the security and reliability of the access object when accessing the service data resource.
Further, referring to fig. 10, fig. 10 is a timing chart of a data resource access method according to an embodiment of the present application. As shown in fig. 10, the method may be performed jointly by a user terminal running a security management client, an intelligent gateway associated with the security application client, a security application server corresponding to the security application client, and a service server corresponding to a service application, where the user terminal may be any one of the user terminals in the user terminal cluster shown in fig. 1, for example, the user terminal 100a. The secure application server may be the server 101 shown in fig. 1 described above. The intelligent gateway may be the intelligent gateway 102 shown in fig. 1 described above. Further, the service server may be any one of the service servers in the service server cluster shown in fig. 1 described above, for example, the service server 103a. The method may comprise at least the following steps S401-S414.
Step S401, a security application client sends a bill acquisition request for business data resources to a security application server;
The specific implementation of step S401 may be referred to the description of step S301 in the embodiment corresponding to fig. 7, and will not be described herein.
Step S402, a security application server receives a ticket acquisition request for a business data resource sent by a security application client, generates a first access ticket and a second access ticket associated with the business data resource based on equipment application data information when equipment application data information of terminal equipment where the security application client is located is acquired based on the ticket acquisition request, and takes the first access ticket and the second access ticket as resource access tickets;
step S403, the security application server sends a resource access ticket to the security application client;
Step S404, the security application client receives the resource access ticket returned by the security application server, and performs ticket identification on the first access ticket and the second access ticket carried in the resource access ticket to obtain a ticket identification result;
step S405, when the bill identification result indicates that the first access bill is a first type access bill, the security application client sends the first type access bill to the access agency through the first data transmission channel;
Step S406, when the bill identification result indicates that the second access bill is the second type access bill, the security application client acquires the equipment auxiliary information associated with the terminal equipment;
Step S407, the security application client sends a second type of access ticket and equipment auxiliary information through a second data transmission channel;
Step S408, the access agent acquires a first type access ticket and a second type access ticket, takes the first type access ticket as a first ticket to be identified, takes the second type access ticket as a second ticket to be identified, and generates a ticket checking request based on the first ticket to be identified, the second ticket to be identified and the equipment auxiliary information;
step S409, the access agent sends a bill verification request to the intelligent gateway;
Step S410, the intelligent gateway sends a bill verification request to the security application server;
For the specific implementation of step S402 to step S410, refer to the description of step S302 to step S304 in the embodiment corresponding to fig. 7, and the description will not be repeated here.
Step S411, the security application server receives a bill verification request, and respectively performs bill verification on a first bill to be verified and a second bill to be verified carried in the bill verification request to obtain a first bill verification result associated with the first bill to be verified and a second bill verification result associated with the second bill to be verified;
Step S412, when the first bill verification result indicates that the first bill to be verified is a first access bill and the second bill verification result indicates that the second bill to be verified is a second access bill, the security application server informs the intelligent gateway to forward the resource access request to the service server when acquiring the resource access request sent by the service client intercepted by the access agent;
step S413, the access agent sends a resource access request to the intelligent gateway;
In step S414, the intelligent gateway sends a resource access request to the service server.
For the specific implementation of step S411 to step S414, refer to the descriptions of step S101 to step S103 in the embodiment corresponding to fig. 3, and the details will not be repeated here.
Therefore, in the embodiment of the application, the security application server can receive the ticket acquisition request for the service data resource sent by the security application client, when the device application data information of the terminal device where the security application client is located is acquired based on the ticket acquisition request, the first access ticket and the second access ticket associated with the service data resource can be generated based on the device application data information, and the first access ticket and the second access ticket can be returned to the security application client as resource access tickets, so that the security application client can send the first access ticket to an access agent in the security application client through a first data transmission channel when the resource access ticket is identified to contain the first access ticket and the second access ticket, and send the device auxiliary information and the second access ticket associated with the terminal device to the access agent through a second data transmission channel, wherein the security application server simultaneously sends the first access ticket and the second access ticket and transmits the second access ticket through the second data transmission channel with lower security transmission level. Because the security transmission level of the first data transmission channel is higher than that of the second data transmission channel, when an attacker intends to tamper the access ticket, the attacker can misuse the first access ticket issued by the second access ticket as a server to induce the attacker to tamper the second access ticket, so that the tampering behavior of the attacker can be effectively judged in the subsequent verification process of the second access ticket. Further, the security application server can receive a bill verification request sent by the access agent through the intelligent gateway, respectively perform bill verification on a first bill to be verified and a second bill to be verified carried in the bill verification request, obtain a first bill verification result associated with the first bill to be verified and a second bill verification result associated with the second bill to be verified, and further, when the first bill verification result indicates that the first bill to be verified is the first access bill and the second bill verification result indicates that the second bill to be verified is the second access bill, notify the intelligent gateway to forward the resource access request to the service server when the resource access request sent by the service client intercepted by the access agent is acquired. Specifically, when the second type access ticket is checked, the related information of the second type access ticket generated through checking can be compared with the auxiliary information of the equipment, and when the comparison result indicates inconsistent, the security application server can effectively discover the falsification behavior of an attacker aiming at the second type access ticket, so that the access authority of an access object is disabled, the connection between the access agent and the intelligent gateway is interrupted, and the access is interrupted. Therefore, the security application server can effectively find the tamper behavior of the attack on the ticket and the illegal access behavior of the service data resource by issuing the first access ticket and the second access ticket, and can timely take security defense measures to interrupt the access session when finding the tamper behavior, thereby ensuring the security and reliability of the access object when accessing the service data resource.
Referring to fig. 11, fig. 11 is a schematic structural diagram of a data resource access device according to an embodiment of the present application. As shown in fig. 11, the data resource access device 1 may be a computer program (including program code) running on a computer apparatus, for example, the data resource access device 1 is an application software, and the computer apparatus may be a user terminal. The device can be used for executing the corresponding steps in the data resource access method provided by the embodiment of the application. As shown in fig. 11, the data resource access device 1 may include a ticket generation module 11, a ticket verification module 12, and a result notification module 13;
The ticket generation module 11 is configured to receive a ticket acquisition request for a service data resource sent by a security application client, generate a first access ticket and a second access ticket associated with the service data resource based on device application data information when device application data information of a terminal device where the security application client is located is acquired based on the ticket acquisition request, and return the first access ticket and the second access ticket as resource access tickets to the security application client, so that when the security application client recognizes that the resource access ticket contains the first access ticket and the second access ticket, the security application client sends the first access ticket to an access proxy in the security application client through a first data transmission channel, and sends device auxiliary information and the second access ticket associated with the terminal device to the access proxy through a second data transmission channel;
The bill verification module 12 is used for receiving a bill verification request sent by the access agent through the intelligent gateway, and respectively carrying out bill verification on a first bill to be verified and a second bill to be verified carried in the bill verification request to obtain a first bill verification result associated with the first bill to be verified and a second bill verification result associated with the second bill to be verified;
The result notifying module 13 is configured to notify the intelligent gateway to forward the resource access request to the service server when acquiring the resource access request sent by the service client intercepted by the access proxy when the first ticket checking result indicates that the first ticket to be checked is the first access ticket and the second ticket checking result indicates that the second ticket to be checked is the second access ticket, where the resource access request is used to instruct the service server to authorize the service client to access the service data resource.
The specific implementation manners of the ticket generating module 11, the ticket checking module 12, and the result notifying module 13 may be referred to the description of step S101 to step S103 in the embodiment corresponding to fig. 3, and the detailed description will not be repeated here.
The security application client side acquires the access verification data information from the service client side when the access agent intercepts a resource access request for the service data resource sent by the service client side through the access object, and the access verification data information is determined when the information verification is successful;
the ticket generating module 11 comprises an access policy acquiring unit 111, an influence factor determining unit 112, an access ticket generating unit 113 and an access ticket returning unit 114;
An access policy obtaining unit 111, configured to receive a ticket obtaining request for a service data resource sent by a security application client, and obtain a service access policy configured for an access object in a service access database based on the ticket obtaining request;
An influencing factor determining unit 112, configured to obtain device application data information of the terminal device from the ticket obtaining request, and determine a ticket generation influencing factor associated with the access object based on the service access policy and the device application data information;
an access ticket generation unit 113 for generating a first access ticket and a second access ticket based on the ticket generation influencing factor, the device application data information, and the access verification data information;
an access ticket returning unit 114 for returning the first access ticket and the second access ticket as resource access tickets to the secure application client.
The specific implementation manners of the access policy obtaining unit 111, the influencing factor determining unit 112, the access ticket generating unit 113 and the access ticket returning unit 114 may be referred to the description of step S101 to step S103 in the embodiment corresponding to fig. 4, and will not be further described herein.
The device application data information comprises resource characteristic information used for representing service data resources, bill generation influencing factors comprise resource sensitivity of the service data resources, wherein the resource sensitivity is determined based on the configuration resource sensitivity of the matched resource configuration characteristic information when the resource characteristic information is matched with the resource configuration characteristic information in a service access strategy;
The access ticket generating unit 113 includes a first authentication subunit 1131, a sensitive detection subunit 1132, a second authentication subunit 1133, and a first ticket generating subunit 1134;
a first authentication subunit 1131, configured to obtain, from the ticket obtaining request, object information, device information, and client information in the access verification data information, perform first identity authentication on the access object based on the object information, the device information, and the client information, and obtain a first identity authentication result;
The sensitive detection subunit 1132 is configured to perform sensitive detection on the resource sensitivity in the ticket generation influencing factor based on the resource sensitivity threshold indicated by the service access policy when the first identity authentication result indicates that the access object has the access right;
A second authentication subunit 1133, configured to send authentication indication information for performing second identity authentication on the service object to the secure application client when it is detected that the resource sensitivity in the ticket generation influencing factor reaches the resource sensitivity threshold;
The first ticket generating subunit 1134 is configured to receive the secondary access data information sent by the service client through the secure application client, generate the first access ticket based on the first ticket generating policy and the device application data information indicated by the service access policy when determining that the secondary access data information is consistent with the access verification data information, and generate the second access ticket based on the second ticket generating policy and the device application data information indicated by the service access policy.
The specific implementation manners of the first authentication subunit 1131, the sensitive detection subunit 1132, the second authentication subunit 1133, and the first ticket generating subunit 1134 may be referred to the description of step S101 in the embodiment corresponding to fig. 4, and will not be further described herein.
The device application data information comprises authority characteristic information used for representing the access authority of the access object, the ticket generation influencing factors comprise the authority level of the access authority, and the authority level is determined based on the configuration authority level of the matched authority configuration characteristic information when the authority characteristic information is matched with the authority configuration characteristic information in the service access strategy;
An access ticket generating unit 113 including a third authentication subunit 1135, a level detection subunit 1136, and a second ticket generating subunit 1137;
A third authentication subunit 1135, configured to obtain, from the ticket obtaining request, object information, device information, and client information in the access verification data information, perform first identity authentication on the access object based on the object information, the device information, and the client information, and obtain a first identity authentication result;
The level detection subunit 1136 is configured to perform level detection on the authority level in the ticket generation influencing factor based on the authority level threshold indicated by the service access policy when the first identity authentication result indicates that the access object has the access right;
The second ticket generating subunit 1137 is configured to generate, when detecting that the authority level in the ticket generating influencing factor reaches the authority level threshold, a first access ticket based on a third ticket generating policy and device application data information indicated by the service access policy, and generate a second access ticket based on a fourth ticket generating policy and device application data information indicated by the service access policy.
The specific implementation manner of the third authentication subunit 1135, the level detection subunit 1136, and the second ticket generating subunit 1137 may refer to the description of step S101 in the embodiment corresponding to fig. 4, and will not be further described herein.
The device application data information comprises access behavior information used for representing access behaviors of the access objects, ticket generation influence factors comprise behavior deviation degrees between the access behavior information and normal access behavior baselines, the normal access behavior baselines are formed by collecting and recording historical access behavior information of the access objects by a security application server, and the behavior deviation degrees are determined by comparing the access behavior information with the normal access behavior baselines;
The access ticket generating unit 113 includes a fourth authentication subunit 1138, a first comparison subunit 1139, a fifth authentication subunit 1140, and a third ticket generating subunit 1141;
A fourth authentication subunit 1138, configured to obtain, from the ticket obtaining request, object information, device information, and client information in the access verification data information, perform first identity authentication on the access object based on the object information, the device information, and the client information, and obtain a first identity authentication result;
The first comparing subunit 1139 is configured to, when the first identity authentication result indicates that the access object has an access right, compare the behavior deviation degree in the ticket generation influencing factor based on the behavior deviation degree threshold indicated by the service access policy, and obtain a first comparing result;
A fifth authentication subunit 1140, configured to send authentication indication information for performing second identity authentication on the service object to the secure application client when the behavior deviation in the first comparison result indication ticket generation influence factor reaches the behavior deviation threshold;
The third ticket generating sub-unit 1141 is configured to receive the secondary access data information sent by the service client through the secure application client, generate the first access ticket based on the fifth ticket generating policy and the device application data information indicated by the service access policy when determining that the secondary access data information is consistent with the access verification data information, and generate the second access ticket based on the sixth ticket generating policy and the device application data information indicated by the service access policy.
For a specific implementation manner of the fourth authentication subunit 1138, the first comparison subunit 1139, the fifth authentication subunit 1140, and the third ticket generating subunit 1141, reference may be made to the description of step S101 in the embodiment corresponding to fig. 4, and the details will not be further described herein.
The access verification data information comprises object information of an access object, equipment information of terminal equipment and client information of a service client; the equipment application data information comprises environment state information used for representing the environment state of the terminal equipment, wherein the bill generation influencing factors comprise the environment state information;
An access ticket generating unit 113 including a sixth authentication subunit 1142, a second comparison subunit 1143, a seventh authentication subunit 1144, and a fourth ticket generating subunit 1145;
a sixth authentication subunit 1142, configured to obtain object information, device information, and client information in the access verification data information from the ticket obtaining request, perform first identity authentication on the access object based on the object information, the device information, and the client information, and obtain a first identity authentication result;
The second comparing subunit 1143 is configured to compare the environmental status information in the ticket generation influencing factor based on the environmental status threshold indicated by the service access policy when the first identity authentication result indicates that the access object has the access right, so as to obtain a second comparing result;
A seventh authentication subunit 1144, configured to send authentication indication information for performing second identity authentication on the service object to the secure application client when the environmental status information in the second comparison result indication ticket generation influencing factor reaches an environmental status threshold;
The fourth ticket generating sub-unit 1145 is configured to receive the secondary access data information sent by the service client through the secure application client, generate the first access ticket based on the seventh ticket generating policy and the device application data information indicated by the service access policy when determining that the secondary access data information is consistent with the access verification data information, and generate the second access ticket based on the eighth ticket generating policy and the device application data information indicated by the service access policy.
For a specific implementation manner of the sixth authentication subunit 1142, the second comparison subunit 1143, the seventh authentication subunit 1144, and the fourth ticket generating subunit 1145, reference may be made to the description of step S101 in the embodiment corresponding to fig. 4, and the details will not be repeated here.
The first ticket generating subunit 1134 is further specifically configured to use the device application data information as a first basic data field, perform a first marking operation on the first basic data field to obtain a first marking field, generate a first type of access ticket based on a first ticket generating policy indicated by the service access policy, and use the first type of access ticket as the first access ticket;
The first ticket generating subunit 1134 is further specifically configured to use the device application data information as a second basic data field, perform a second marking operation on the second basic data field to obtain a second marking field, generate a second type of access ticket based on a second ticket generating policy indicated by the service access policy, and use the second type of access ticket as the second access ticket.
Optionally, the device 1 further comprises a bill identifying module 14 and a bill obtaining module 15 to be verified;
The bill identifying module 14 is configured to receive a bill verification request sent by the access agent through the intelligent gateway, and identify a first bill to be identified and a second bill to be identified carried in the bill verification request, so as to obtain a bill identifying result;
The ticket to be verified acquiring module 15 is configured to take the first ticket to be recognized as the first ticket to be verified and take the second ticket to be recognized as the second ticket to be verified when the ticket recognition result indicates that the first ticket to be recognized is the first type access ticket and the second ticket to be recognized is the second type access ticket.
For a specific implementation manner of the bill identifying module 14 and the bill obtaining module 15 to be verified, refer to the description of step S102 in the embodiment corresponding to fig. 4, and the description will not be repeated here.
The bill identifying module 14 comprises a to-be-identified bill acquiring unit 141, a first bill identifying unit 142, a first type access bill determining unit 143, a second bill identifying unit 144 and a second type access bill determining unit 145;
A to-be-identified bill acquiring unit 141, configured to acquire a first to-be-identified bill and a second to-be-identified bill from the bill verification request;
The first bill identifying unit 142 is configured to perform a first bill identifying operation on a first bill to be identified based on a bill identifying policy, so as to obtain a first bill identifying result;
The first type access ticket determining unit 143 is configured to determine that the first ticket to be identified is a first type access ticket if the first ticket identification result indicates that a first tag field is identified in the first ticket to be identified;
the second bill identifying unit 144 is configured to perform a second bill identifying operation on a second bill to be identified based on a bill identifying policy, so as to obtain a second bill identifying result;
The second type access ticket determining unit 145 is configured to determine that the second identification ticket is the second type access ticket if the second ticket identification result indicates that a second tag field is identified in the second ticket to be identified, where the second tag field is obtained by performing a second tag operation on a second basic data field, and the second basic data field is device application data information.
The specific implementation manner of the to-be-identified ticket acquiring unit 141, the first ticket identifying unit 142, the first type access ticket determining unit 143, the second ticket identifying unit 144, and the second type access ticket determining unit 145 may be referred to the description of step S102 in the embodiment corresponding to fig. 4, and will not be further described herein.
The bill verification module 12 comprises a first analysis unit 121, a first verification unit 122, a second analysis unit 123 and a second verification unit 124;
a first parsing unit 121, configured to perform a first information parsing operation on a first ticket to be checked, to obtain first configuration check information associated with a first type of access ticket;
the first verification unit 122 is configured to perform ticket verification on the first ticket to be verified based on the first configuration verification information, so as to obtain a first ticket verification result;
a second parsing unit 123, configured to perform a second information parsing operation on a second ticket to be checked, to obtain second configuration check information associated with a second type access ticket;
and the second checking unit 124 is configured to perform ticket checking on the second ticket to be checked based on the second configuration checking information and the device auxiliary information to obtain a second ticket checking result, where the device auxiliary information is obtained by the security application client.
The specific implementation manner of the first parsing unit 121, the first checking unit 122, the second parsing unit 123, and the second checking unit 124 may refer to the description of step S102 in the embodiment corresponding to fig. 4, and the detailed description will not be repeated here.
Optionally, the ticket checking module 12 further comprises a first access ticket determining unit 125 and a second access ticket determining unit 126;
a first access ticket determining unit 125, configured to determine that the first ticket to be checked is the first access ticket when the first ticket checking result indicates that the first configuration checking information passes the check;
And the second access ticket determining unit 126 is configured to determine that the second ticket to be checked is the second access ticket when the second ticket checking result indicates that the second configuration checking information passes the check, and the second configuration checking information is consistent with the device auxiliary information.
For a specific implementation manner of the first access ticket determining unit 125 and the second access ticket determining unit 126, reference may be made to the description of step S102 in the embodiment corresponding to fig. 4, and the description will not be repeated here.
Referring to fig. 12, fig. 12 is a schematic structural diagram of another data resource access device according to an embodiment of the present application. As shown in fig. 12, the data resource access means 2 may be a computer program (comprising program code) running on a computer device, for example the data resource access means 2 is an application software, the computer device may be a user terminal. The device can be used for executing the corresponding steps in the data resource access method provided by the embodiment of the application. As shown in fig. 12, the data resource access device 2 may include a first transmitting module 21, a ticket identifying module 22, a first transmitting module 23, and a second transmitting module 24;
a first sending module 21, configured to send a ticket obtaining request for a service data resource to a security application server;
The ticket identification module 22 is configured to receive a resource access ticket returned by the security application server, and identify a first access ticket and a second access ticket carried in the resource access ticket to obtain a ticket identification result;
The first transmission module 23 is configured to send the first type of access ticket to an access agent in the secure application client through the first data transmission channel when the ticket identification result indicates that the first access ticket is the first type of access ticket;
The second transmission module 24 is configured to obtain device auxiliary information associated with the terminal device when the ticket identification result indicates that the second access ticket is a second type access ticket, send the second type access ticket and the device auxiliary information to the access proxy through the second data transmission channel, so that the access proxy uses the first type access ticket as a first to-be-identified ticket and uses the second type access ticket as a second to-be-identified ticket when the access proxy obtains the first type access ticket and the second type access ticket, generate a ticket check request based on the first to-be-identified ticket, the second to-be-identified ticket and the device auxiliary information, and send the ticket check request to the security application server through the intelligent gateway, where the security transmission level of the first data transmission channel is higher than that of the second data transmission channel, and the intelligent gateway is disposed between the service client in the terminal device and the service server storing the service data resource.
The specific implementation manner of the first sending module 21, the bill identifying module 22, the first transmitting module 23 and the second transmitting module 24 may refer to the description of step S301 to step S304 in the embodiment corresponding to fig. 7, and the detailed description will not be repeated here.
The bill identifying module 22 includes a bill receiving unit 221, a first bill identifying unit 222, a first type access bill determining unit 223, a second bill identifying unit 224, and a second type access bill determining subunit 225;
a ticket receiving unit 221, configured to receive a resource access ticket returned by the security application server, and acquire a first access ticket and a second access ticket from the resource access ticket;
the first ticket identifying unit 222 is configured to perform a first ticket identifying operation on the first access ticket based on a ticket identifying policy to obtain a first ticket identifying result;
The first type access ticket determining unit 223 is configured to determine that the first access ticket is a first type access ticket if the first ticket identification result indicates that a first tag field is identified in the first access ticket;
a second ticket identifying unit 224, configured to perform a second ticket identifying operation on the second access ticket based on the ticket identifying policy, to obtain a second ticket identifying result;
The second type access ticket determining subunit 225 is configured to determine that the second access ticket is the second type access ticket if the second ticket identification result indicates that a second tag field is identified in the second access ticket, where the second tag field is obtained by performing a second tag operation on a second basic data field, and the second basic data field is device application data information.
For a specific implementation manner of the bill receiving unit 221, the first bill identifying unit 222, the first type access bill determining unit 223, the second bill identifying unit 224 and the second type access bill determining subunit 225, reference may be made to the description of step S302 in the embodiment corresponding to fig. 7, and the details will not be repeated here.
The number of the second access notes is N, and N is a positive integer;
The second transmission module 24 includes a ticket storage unit 241, a data transmission unit 242, and an instruction transmission unit 243;
a ticket storage unit 241, configured to store the second type of access ticket in a file storage system in the secure application client, and use the second type of access ticket as an original storage ticket;
The data transmission unit 242 is configured to obtain device auxiliary information associated with the terminal device, and send the second type access ticket, the device auxiliary information, and a file path of the file storage system to the access proxy through the second data transmission channel, so that when the access proxy obtains the second type access ticket, the access proxy stores S second type access tickets as tickets to be selected in the memory;
The instruction sending unit 243 is configured to send a ticket checking request generating instruction to the access agent, so that when the access agent receives the ticket checking request generating instruction, the access agent uses a first type of access ticket as a first ticket to be identified, selects one of the tickets to be selected as a second ticket to be identified, generates a ticket checking request based on the first ticket to be identified, the second ticket to be identified and the device auxiliary information, and sends the ticket checking request to the security application server through the intelligent gateway.
The specific implementation manner of the ticket storage unit 241, the data transmission unit 242, and the instruction sending unit 243 may be referred to the description of step S304 in the embodiment corresponding to fig. 7, and will not be further described herein.
The access agent performs decremental processing on the to-be-selected bill after selecting one bill from the to-be-selected bills as a second to-be-identified bill, reads an original cache bill from the file storage system through a file path of the file storage system when the to-be-selected bill decrements to 0, and selects one bill from the original cache bill as the second to-be-identified bill.
Further, referring to fig. 13, fig. 13 is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 13, the computer device 1000 may be a user terminal, for example, the user terminal 100a in the embodiment corresponding to fig. 1, or a server, for example, the server 101 in the embodiment corresponding to fig. 1, which is not limited herein. For ease of understanding, the present application is exemplified by a computer device as a user terminal, the computer device 1000 may include a processor 1001, a network interface 1004, and a memory 1005, and the computer device 1000 may further include a user interface 1003, and at least one communication bus 1002. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may also include a standard wired interface, a wireless interface, among others. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory. The memory 1005 may also optionally be at least one storage device located remotely from the processor 1001. As shown in fig. 13, an operating system, a network communication module, a user interface module, and a device control application program may be included in the memory 1005, which is one type of computer-readable storage medium.
The network interface 1004 in the computer device 1000 may also provide network communication functions, and the optional user interface 1003 may also include a Display screen (Display) and a Keyboard (Keyboard). In the computer device 1000 shown in fig. 13, the network interface 1004 may provide a network communication function, while the user interface 1003 is mainly used for providing an input interface for a user, and the processor 1001 may be used for calling a device control application program stored in the memory 1005 to execute the description of the service data access method in the embodiment corresponding to fig. 4, fig. 6 and fig. 7, or execute the description of the data resource access device 1 in the embodiment corresponding to fig. 11, or execute the description of the data resource access device 2 in the embodiment corresponding to fig. 12, which will not be repeated herein. In addition, the description of the beneficial effects of the same method is omitted.
It should be noted that, in addition, the embodiment of the present application further provides a computer readable storage medium, where a computer program executed by the data resource access device 1 or the data resource access device 2 mentioned above is stored, and the computer program includes computer instructions, when executed by the processor, can execute the description of the service data access method in the embodiments corresponding to fig. 4, fig. 6, and fig. 7, and therefore, will not be repeated herein. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the embodiments of the computer-readable storage medium according to the present application, please refer to the description of the method embodiments of the present application. As an example, computer instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or distributed across multiple sites and interconnected by a communication network, where the multiple computing devices distributed across multiple sites and interconnected by a communication network may constitute a blockchain system.
Furthermore, it should be noted that embodiments of the present application also provide a computer program product or a computer program, which may include computer instructions, which may be stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor may execute the computer instructions, so that the computer device performs the foregoing description of the service data access method in the embodiments corresponding to fig. 4, fig. 6, and fig. 7, and therefore, a detailed description will not be given here. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the computer program product or the computer program embodiments according to the present application, reference is made to the description of the method embodiments according to the present application.
Further, referring to fig. 14, fig. 14 is a schematic structural diagram of a data processing system according to an embodiment of the present application. The data processing system 3 may comprise data processing means 1a and data processing means 2a. The data processing device 1a may be the data resource access device 1 in the embodiment corresponding to fig. 11, and it is understood that the data processing device 1a may be integrated with the user terminal 30A in the embodiment corresponding to fig. 3, and therefore, a detailed description thereof will not be provided here. The data processing device 2a may be the data resource access device 2 in the embodiment corresponding to fig. 12, and it is understood that the data processing device 2a may be integrated with the secure application server 30B in the embodiment corresponding to fig. 3, and therefore, a detailed description thereof will not be provided here. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the embodiments of the data processing system according to the present application, please refer to the description of the method embodiments of the present application.
It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the order of action described, as some steps may be performed in other order or simultaneously according to the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present application.
The steps in the method of the embodiment of the application can be sequentially adjusted, combined and deleted according to actual needs.
The modules in the device of the embodiment of the application can be combined, divided and deleted according to actual needs.
In the present embodiment, the term "module" or "unit" refers to a computer program or a part of a computer program having a predetermined function and working together with other relevant parts to achieve a predetermined object, and may be implemented in whole or in part by using software, hardware (such as a processing circuit or a memory), or a combination thereof. Also, a processor (or multiple processors or memories) may be used to implement one or more modules or units. Furthermore, each module or unit may be part of an overall module or unit that incorporates the functionality of the module or unit.
Those skilled in the art will appreciate that implementing all or part of the above-described methods may be accomplished by way of a computer program stored in a computer-readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
The foregoing disclosure is illustrative of the present application and is not to be construed as limiting the scope of the application, which is defined by the appended claims.

Claims (15)

1.一种数据资源访问方法,其特征在于,所述方法由安全应用服务器执行,包括:1. A data resource access method, characterized in that the method is executed by a security application server, comprising: 接收安全应用客户端发送的针对业务数据资源的票据获取请求,在基于所述票据获取请求获取到所述安全应用客户端所在终端设备的设备应用数据信息时,基于所述设备应用数据信息生成与业务数据资源相关联的第一访问票据和第二访问票据,将所述第一访问票据和所述第二访问票据作为资源访问票据返回给所述安全应用客户端,以使所述安全应用客户端在识别到所述资源访问票据包含第一类访问票据和第二类访问票据时,将所述第一类访问票据通过第一数据传输通道发送给所述安全应用客户端中的访问代理,且将与所述终端设备相关联的设备辅助信息和所述第二类访问票据通过第二数据传输通道发送给所述访问代理;所述第一数据传输通道的安全传输等级高于所述第二数据传输通道的安全传输等级;Receive a ticket acquisition request for a business data resource sent by a security application client, and when device application data information of a terminal device where the security application client is located is acquired based on the ticket acquisition request, generate a first access ticket and a second access ticket associated with the business data resource based on the device application data information, and return the first access ticket and the second access ticket to the security application client as resource access tickets, so that when the security application client identifies that the resource access ticket includes a first type of access ticket and a second type of access ticket, the first type of access ticket is sent to an access agent in the security application client through a first data transmission channel, and the device auxiliary information associated with the terminal device and the second type of access ticket are sent to the access agent through a second data transmission channel; the security transmission level of the first data transmission channel is higher than the security transmission level of the second data transmission channel; 接收所述访问代理通过智能网关发送的票据校验请求,对所述票据校验请求中所携带的第一待校验票据和第二待校验票据分别进行票据校验,得到与所述第一待校验票据相关联的第一票据校验结果和与所述第二待校验票据相关联的第二票据校验结果;所述智能网关部署在所述终端设备中的业务客户端和存储有所述业务数据资源的业务服务器之间;receiving a ticket verification request sent by the access proxy through an intelligent gateway, performing ticket verification on a first ticket to be verified and a second ticket to be verified carried in the ticket verification request, respectively, to obtain a first ticket verification result associated with the first ticket to be verified and a second ticket verification result associated with the second ticket to be verified; the intelligent gateway is deployed between a service client in the terminal device and a service server storing the service data resources; 在所述第一票据校验结果指示所述第一待校验票据为所述第一访问票据,且所述第二票据校验结果指示所述第二待校验票据为所述第二访问票据时,通知智能网关在获取到所述访问代理所拦截到的所述业务客户端发送的资源访问请求时,将所述资源访问请求转发给所述业务服务器;所述资源访问请求用于指示所述业务服务器授权所述业务客户端访问所述业务数据资源。When the first ticket verification result indicates that the first ticket to be verified is the first access ticket, and the second ticket verification result indicates that the second ticket to be verified is the second access ticket, the intelligent gateway is notified to forward the resource access request to the business server when the resource access request sent by the business client intercepted by the access agent is obtained; the resource access request is used to instruct the business server to authorize the business client to access the business data resources. 2.根据权利要求1所述的方法,其特征在于,所述票据获取请求是所述安全应用客户端基于设备应用数据信息和访问对象的访问验证数据信息所生成的;所述访问验证数据信息是所述安全应用客户端在访问代理拦截到所述访问对象通过业务客户端发送的针对所述业务数据资源的资源访问请求时,对所述资源访问请求中所携带的访问数据信息进行信息验证,且信息验证成功时所确定的;所述设备应用数据信息是所述安全应用客户端在得到所述访问验证数据信息时从所述业务客户端上所获取到的;2. The method according to claim 1 is characterized in that the ticket acquisition request is generated by the security application client based on the device application data information and the access verification data information of the access object; the access verification data information is determined when the security application client verifies the access data information carried in the resource access request when the access proxy intercepts the resource access request for the business data resource sent by the access object through the business client, and the information verification is successful; the device application data information is obtained by the security application client from the business client when obtaining the access verification data information; 所述接收安全应用客户端发送的针对业务数据资源的票据获取请求,在基于所述票据获取请求获取到所述安全应用客户端所在终端设备的设备应用数据信息时,基于所述设备应用数据信息生成与所述业务数据资源相关联的第一访问票据和第二访问票据,将所述第一访问票据和所述第二访问票据作为资源访问票据返回给所述安全应用客户端,包括:The receiving a ticket acquisition request for a business data resource sent by a security application client, and when obtaining device application data information of a terminal device where the security application client is located based on the ticket acquisition request, generating a first access ticket and a second access ticket associated with the business data resource based on the device application data information, and returning the first access ticket and the second access ticket as resource access tickets to the security application client, comprises: 接收安全应用客户端发送的针对所述业务数据资源的票据获取请求,基于所述票据获取请求在业务访问数据库中获取为所述访问对象所配置的业务访问策略;Receiving a ticket acquisition request for the business data resource sent by the security application client, and acquiring the business access policy configured for the access object in a business access database based on the ticket acquisition request; 从所述票据获取请求中获取所述终端设备的设备应用数据信息,基于所述业务访问策略和所述设备应用数据信息,确定与所述访问对象相关联的票据生成影响因素;Acquire device application data information of the terminal device from the ticket acquisition request, and determine a ticket generation influencing factor associated with the access object based on the service access policy and the device application data information; 基于所述票据生成影响因素、所述设备应用数据信息和所述访问验证数据信息,生成所述第一访问票据和所述第二访问票据;generating the first access ticket and the second access ticket based on the ticket generation influencing factors, the device application data information and the access verification data information; 将所述第一访问票据和所述第二访问票据作为资源访问票据返回给所述安全应用客户端。The first access ticket and the second access ticket are returned to the secure application client as resource access tickets. 3.根据权利要求2所述的方法,其特征在于,所述访问验证数据信息中包含所述访问对象的对象信息、所述终端设备的设备信息以及所述业务客户端的客户端信息;所述设备应用数据信息中包含用于表征所述业务数据资源的资源特征信息;所述票据生成影响因素包括所述业务数据资源的资源敏感度;所述资源敏感度是在所述资源特征信息与所述业务访问策略中的资源配置特征信息相匹配时,基于匹配到的资源配置特性信息的配置资源敏感度所确定的;3. The method according to claim 2 is characterized in that the access verification data information includes the object information of the access object, the device information of the terminal device and the client information of the business client; the device application data information includes resource feature information for characterizing the business data resource; the ticket generation influencing factor includes the resource sensitivity of the business data resource; the resource sensitivity is determined based on the configuration resource sensitivity of the matched resource configuration characteristic information when the resource feature information matches the resource configuration characteristic information in the business access policy; 所述基于所述票据生成影响因素、所述设备应用数据信息和所述访问验证数据信息,生成所述第一访问票据和所述第二访问票据,包括:The generating the first access ticket and the second access ticket based on the ticket generation influencing factors, the device application data information and the access verification data information includes: 从所述票据获取请求中获取所述访问验证数据信息中的所述对象信息、所述设备信息以及所述客户端信息,基于所述对象信息、所述设备信息以及所述客户端信息对所述访问对象进行第一身份鉴权,得到第一身份鉴权结果;Acquire the object information, the device information and the client information in the access verification data information from the ticket acquisition request, perform a first identity authentication on the access object based on the object information, the device information and the client information, and obtain a first identity authentication result; 在所述第一身份鉴权结果指示所述访问对象具备访问权限时,基于所述业务访问策略所指示的资源敏感阈值对所述票据生成影响因素中的资源敏感度进行敏感检测;When the first identity authentication result indicates that the access object has access rights, performing a sensitive detection on the resource sensitivity of the factors affecting the generation of the ticket based on the resource sensitivity threshold indicated by the service access policy; 在检测到所述票据生成影响因素中的资源敏感度达到所述资源敏感阈值时,向所述安全应用客户端发送用于对所述业务对象进行第二身份鉴权的鉴权指示信息;When it is detected that the resource sensitivity in the factors affecting ticket generation reaches the resource sensitivity threshold, sending authentication indication information for performing a second identity authentication on the business object to the security application client; 接收所述业务客户端通过所述安全应用客户端发送的二次访问数据信息,在确定所述二次访问数据信息与所述访问验证数据信息保持一致时,基于所述业务访问策略所指示的第一票据生成策略、所述设备应用数据信息生成所述第一访问票据,并基于所述业务访问策略所指示的第二票据生成策略、所述设备应用数据信息生成所述第二访问票据。Receive secondary access data information sent by the business client through the security application client, and when it is determined that the secondary access data information is consistent with the access verification data information, generate the first access ticket based on the first ticket generation strategy indicated by the business access policy and the device application data information, and generate the second access ticket based on the second ticket generation strategy indicated by the business access policy and the device application data information. 4.根据权利要求2所述的方法,其特征在于,所述访问验证数据信息中包含所述访问对象的对象信息、所述终端设备的设备信息以及所述业务客户端的客户端信息;所述设备应用数据信息中包含用于表征所述访问对象的访问权限的权限特征信息;所述票据生成影响因素包括所述访问权限的权限等级;所述权限等级是在所述权限特征信息与所述业务访问策略中的权限配置特征信息相匹配时,基于匹配到的权限配置特征信息的配置权限等级所确定的;4. The method according to claim 2 is characterized in that the access verification data information includes the object information of the access object, the device information of the terminal device and the client information of the business client; the device application data information includes the permission feature information used to characterize the access rights of the access object; the ticket generation influencing factors include the permission level of the access rights; the permission level is determined based on the configuration permission level of the matched permission configuration feature information when the permission feature information matches the permission configuration feature information in the business access policy; 所述基于所述票据生成影响因素、所述设备应用数据信息和所述访问验证数据信息,生成所述第一访问票据和所述第二访问票据,包括:The generating the first access ticket and the second access ticket based on the ticket generation influencing factors, the device application data information and the access verification data information includes: 从所述票据获取请求中获取所述访问验证数据信息中的所述对象信息、所述设备信息以及所述客户端信息,基于所述对象信息、所述设备信息以及所述客户端信息对所述访问对象进行第一身份鉴权,得到第一身份鉴权结果;Acquire the object information, the device information and the client information in the access verification data information from the ticket acquisition request, perform a first identity authentication on the access object based on the object information, the device information and the client information, and obtain a first identity authentication result; 在所述第一身份鉴权结果指示所述访问对象具备访问权限时,基于所述业务访问策略所指示的权限等级阈值对所述票据生成影响因素中的权限等级进行等级检测;When the first identity authentication result indicates that the access object has access rights, performing level detection on the permission level in the ticket generation influencing factor based on the permission level threshold indicated by the service access policy; 在检测到所述票据生成影响因素中的权限等级达到所述权限等级阈值时,基于所述业务访问策略所指示的第三票据生成策略、所述设备应用数据信息生成所述第一访问票据,并基于所述业务访问策略所指示的第四票据生成策略、所述设备应用数据信息生成所述第二访问票据。When it is detected that the authority level in the ticket generation influencing factors reaches the authority level threshold, the first access ticket is generated based on the third ticket generation strategy indicated by the business access policy and the device application data information, and the second access ticket is generated based on the fourth ticket generation strategy indicated by the business access policy and the device application data information. 5.根据权利要求2所述的方法,其特征在于,所述访问验证数据信息中包含所述访问对象的对象信息、所述终端设备的设备信息以及所述业务客户端的客户端信息;所述设备应用数据信息中包含用于表征所述访问对象的访问行为的访问行为信息;所述票据生成影响因素包括所述访问行为信息与正常访问行为基线之间的行为偏离度;所述正常访问行为基线是所述安全应用服务器对所述访问对象的历史访问行为信息进行采集记录所形成的;所述行为偏离度是对所述访问行为信息与所述正常访问行为基线进行比对所确定的;5. The method according to claim 2 is characterized in that the access verification data information includes the object information of the access object, the device information of the terminal device and the client information of the business client; the device application data information includes the access behavior information used to characterize the access behavior of the access object; the ticket generation influencing factors include the behavior deviation between the access behavior information and the normal access behavior baseline; the normal access behavior baseline is formed by the security application server collecting and recording the historical access behavior information of the access object; the behavior deviation is determined by comparing the access behavior information with the normal access behavior baseline; 所述基于所述票据生成影响因素、所述设备应用数据信息和所述访问验证数据信息,生成所述第一访问票据和所述第二访问票据,包括:The generating the first access ticket and the second access ticket based on the ticket generation influencing factors, the device application data information and the access verification data information includes: 从所述票据获取请求中获取所述访问验证数据信息中的所述对象信息、所述设备信息以及所述客户端信息,基于所述对象信息、所述设备信息以及所述客户端信息对所述访问对象进行第一身份鉴权,得到第一身份鉴权结果;Acquire the object information, the device information and the client information in the access verification data information from the ticket acquisition request, perform a first identity authentication on the access object based on the object information, the device information and the client information, and obtain a first identity authentication result; 在所述第一身份鉴权结果指示所述访问对象具备访问权限时,基于所述业务访问策略所指示的行为偏离度阈值对所述票据生成影响因素中的行为偏离度进行比对,得到第一比对结果;When the first identity authentication result indicates that the access object has access rights, comparing the behavior deviation in the ticket generation influencing factors based on the behavior deviation threshold indicated by the business access policy to obtain a first comparison result; 在所述第一比对结果指示所述票据生成影响因素中的行为偏离度达到所述行为偏离度阈值时,向所述安全应用客户端发送用于对所述业务对象进行第二身份鉴权的鉴权指示信息;When the first comparison result indicates that the behavior deviation in the bill generation influencing factor reaches the behavior deviation threshold, sending authentication indication information for performing a second identity authentication on the business object to the security application client; 接收所述业务客户端通过所述安全应用客户端发送的二次访问数据信息,在确定所述二次访问数据信息与所述访问验证数据信息保持一致时,基于所述业务访问策略所指示的第五票据生成策略、所述设备应用数据信息生成所述第一访问票据,并基于所述业务访问策略所指示的第六票据生成策略、所述设备应用数据信息生产所述第二访问票据。Receive secondary access data information sent by the business client through the security application client, and when it is determined that the secondary access data information is consistent with the access verification data information, generate the first access ticket based on the fifth ticket generation strategy indicated by the business access policy and the device application data information, and generate the second access ticket based on the sixth ticket generation strategy indicated by the business access policy and the device application data information. 6.根据权利要求2所述的方法,其特征在于,所述访问验证数据信息中包含所述访问对象的对象信息、所述终端设备的设备信息以及所述业务客户端的客户端信息;所述设备应用数据信息中包含用于表征所述终端设备环境状态的环境状态信息;所述票据生成影响因素包括所述环境状态信息;6. The method according to claim 2, characterized in that the access verification data information includes object information of the access object, device information of the terminal device and client information of the service client; the device application data information includes environmental status information for characterizing the environmental status of the terminal device; the factors affecting bill generation include the environmental status information; 所述基于所述票据生成影响因素、所述设备应用数据信息和所述访问验证数据信息,生成所述第一访问票据和所述第二访问票据,包括:The generating the first access ticket and the second access ticket based on the ticket generation influencing factors, the device application data information and the access verification data information includes: 从所述票据获取请求中获取所述访问验证数据信息中的所述对象信息、所述设备信息以及所述客户端信息,基于所述对象信息、所述设备信息以及所述客户端信息对所述访问对象进行第一身份鉴权,得到第一身份鉴权结果;Acquire the object information, the device information and the client information in the access verification data information from the ticket acquisition request, perform a first identity authentication on the access object based on the object information, the device information and the client information, and obtain a first identity authentication result; 在所述第一身份鉴权结果指示所述访问对象具备访问权限时,基于所述业务访问策略所指示的环境状态阈值对所述票据生成影响因素中的环境状态信息进行比对,得到第二比对结果;When the first identity authentication result indicates that the access object has access rights, comparing the environmental status information in the ticket generation influencing factors based on the environmental status threshold indicated by the business access policy to obtain a second comparison result; 在所述第二比对结果指示所述票据生成影响因素中的环境状态信息达到所述环境状态阈值时,向所述安全应用客户端发送用于对所述业务对象进行第二身份鉴权的鉴权指示信息;When the second comparison result indicates that the environmental status information in the factors affecting bill generation reaches the environmental status threshold, sending authentication indication information for performing a second identity authentication on the business object to the security application client; 接收所述业务客户端通过所述安全应用客户端发送的二次访问数据信息,在确定所述二次访问数据信息与所述访问验证数据信息保持一致时,基于所述业务访问策略所指示的第七票据生成策略、所述设备应用数据信息生成所述第一访问票据,并基于所述业务访问策略所指示的第八票据生成策略、所述设备应用数据信息生产所述第二访问票据。Receive secondary access data information sent by the business client through the security application client, and when it is determined that the secondary access data information is consistent with the access verification data information, generate the first access ticket based on the seventh ticket generation strategy indicated by the business access policy and the device application data information, and generate the second access ticket based on the eighth ticket generation strategy indicated by the business access policy and the device application data information. 7.根据权利要求3所述的方法,其特征在于,所述基于所述业务访问策略所指示的第一票据生成策略、所述设备应用数据信息生成所述第一访问票据,并基于所述业务访问策略所指示的第二票据生成策略、所述设备应用数据信息生成所述第二访问票据,包括:7. The method according to claim 3, characterized in that the generating the first access ticket based on the first ticket generation strategy indicated by the service access strategy and the device application data information, and generating the second access ticket based on the second ticket generation strategy indicated by the service access strategy and the device application data information, comprises: 将所述设备应用数据信息作为第一基础数据字段,对所述第一基础数据字段进行第一标记操作,得到第一标记字段,基于所述业务访问策略所指示的第一票据生成策略生成所述第一类访问票据,且将所述第一类访问票据作为所述第一访问票据;Taking the device application data information as a first basic data field, performing a first marking operation on the first basic data field to obtain a first marking field, generating the first type of access ticket based on a first ticket generation policy indicated by the service access policy, and taking the first type of access ticket as the first access ticket; 将所述设备应用数据信息作为第二基础数据字段,对所述第二基础数据字段进行第二标记操作,得到第二标记字段,基于所述业务访问策略所指示的第二票据生成策略生成第二类访问票据,且将所述第二类访问票据作为所述第二访问票据。The device application data information is used as a second basic data field, a second marking operation is performed on the second basic data field to obtain a second marking field, a second type of access ticket is generated based on a second ticket generation strategy indicated by the business access policy, and the second type of access ticket is used as the second access ticket. 8.根据权利要求1所述的方法,其特征在于,所述对所述票据校验请求中所携带的第一待校验票据和第二待校验票据分别进行票据校验,得到与所述第一待校验票据相关联的第一票据校验结果和与所述第二待校验票据相关联的第二票据校验结果,包括:8. The method according to claim 1, characterized in that the step of performing ticket verification on the first ticket to be verified and the second ticket to be verified carried in the ticket verification request to obtain a first ticket verification result associated with the first ticket to be verified and a second ticket verification result associated with the second ticket to be verified comprises: 对所述第一待校验票据进行第一信息解析操作,得到与所述第一类访问票据相关联的第一配置校验信息;Performing a first information parsing operation on the first ticket to be verified to obtain first configuration verification information associated with the first type of access ticket; 基于所述第一配置校验信息对所述第一待校验票据进行票据校验,得到第一票据校验结果;Performing bill verification on the first bill to be verified based on the first configuration verification information to obtain a first bill verification result; 对所述第二待校验票据进行第二信息解析操作,得到与所述第二类访问票据相关联的第二配置校验信息;Performing a second information parsing operation on the second ticket to be verified to obtain second configuration verification information associated with the second type of access ticket; 基于所述第二配置校验信息和所述设备辅助信息对所述第二待校验票据进行票据校验,得到第二票据校验结果;所述设备辅助信息由所述安全应用客户端获取得到的。Based on the second configuration verification information and the device auxiliary information, the second ticket to be verified is verified to obtain a second ticket verification result; the device auxiliary information is obtained by the security application client. 9.根据权利要求8所述的方法,其特征在于,所述方法还包括:9. The method according to claim 8, characterized in that the method further comprises: 在所述第一票据校验结果指示所述第一配置校验信息校验通过时,确定所述第一待校验票据为所述第一访问票据;When the first ticket verification result indicates that the first configuration verification information has passed verification, determining that the first ticket to be verified is the first access ticket; 在所述第二票据校验结果指示所述第二配置校验信息校验通过,且所述第二配置校验信息与所述设备辅助信息保持一致时,确定所述第二待校验票据为所述第二访问票据。When the second ticket verification result indicates that the second configuration verification information has passed verification and the second configuration verification information is consistent with the device auxiliary information, it is determined that the second ticket to be verified is the second access ticket. 10.一种数据资源访问方法,其特征在于,所述方法由运行有安全应用客户端的终端设备执行,包括:10. A data resource access method, characterized in that the method is executed by a terminal device running a security application client, comprising: 向安全应用服务器发送针对业务数据资源的票据获取请求;Send a ticket acquisition request for business data resources to the security application server; 接收所述安全应用服务器返回的资源访问票据,对所述资源访问票据中携带的第一访问票据和第二访问票据进行票据识别,得到票据识别结果;所述第一访问票据和所述第二访问票据为所述安全应用服务器基于所述票据获取请求中所携带到的所述安全应用客户端所在终端设备的设备应用数据信息所生成的;Receive the resource access ticket returned by the security application server, perform ticket identification on the first access ticket and the second access ticket carried in the resource access ticket, and obtain a ticket identification result; the first access ticket and the second access ticket are generated by the security application server based on the device application data information of the terminal device where the security application client is located carried in the ticket acquisition request; 在所述票据识别结果指示所述第一访问票据为第一类访问票据时,将所述第一类访问票据通过第一数据传输通道发送至所述安全应用客户端中的访问代理;When the ticket identification result indicates that the first access ticket is a first-class access ticket, sending the first-class access ticket to the access agent in the security application client through a first data transmission channel; 在所述票据识别结果指示所述第二访问票据为第二类访问票据时,获取与所述终端设备相关联的设备辅助信息,将所述第二类访问票据和所述设备辅助信息通过第二数据传输通道发送至所述访问代理,以使所述访问代理在获取到所述第一类访问票据和所述第二类访问票据时,将所述第一类访问票据作为第一待识别票据、且将所述第二类访问票据作为第二待识别票据,基于所述第一待识别票据、所述第二待识别票据以及所述设备辅助信息生成票据校验请求,并将所述票据校验请求通过智能网关发送至所述安全应用服务器;所述第一数据传输通道的安全传输等级高于所述第二数据传输通道的安全传输等级;所述智能网关部署在所述终端设备中的业务客户端和存储有所述业务数据资源的业务服务器之间。When the ticket identification result indicates that the second access ticket is a second-class access ticket, device auxiliary information associated with the terminal device is obtained, and the second-class access ticket and the device auxiliary information are sent to the access agent through a second data transmission channel, so that when the access agent obtains the first-class access ticket and the second-class access ticket, the first-class access ticket is used as the first ticket to be identified, and the second-class access ticket is used as the second ticket to be identified, and a ticket verification request is generated based on the first ticket to be identified, the second ticket to be identified and the device auxiliary information, and the ticket verification request is sent to the security application server through an intelligent gateway; the security transmission level of the first data transmission channel is higher than the security transmission level of the second data transmission channel; the intelligent gateway is deployed between the business client in the terminal device and the business server storing the business data resources. 11.一种数据资源访问装置,其特征在于,所述装置运行在安全应用服务器,包括:11. A data resource access device, characterized in that the device runs on a security application server, comprising: 票据生成模块,用于接收安全应用客户端发送的针对业务数据资源的票据获取请求,在基于所述票据获取请求获取到所述安全应用客户端所在终端设备的设备应用数据信息时,基于所述设备应用数据信息生成与所述业务数据资源相关联的第一访问票据和第二访问票据,将所述第一访问票据和所述第二访问票据作为资源访问票据返回给所述安全应用客户端,以使所述安全应用客户端在识别到所述资源访问票据包含第一类访问票据和第二类访问票据时,将所述第一类访问票据通过第一数据传输通道发送给所述安全应用客户端中的访问代理,且将与所述终端设备相关联的设备辅助信息和所述第二类访问票据通过第二数据传输通道发送给所述访问代理;所述第一数据传输通道的安全传输等级高于所述第二数据传输通道的安全传输等级;A ticket generation module, configured to receive a ticket acquisition request for a business data resource sent by a security application client, and when obtaining device application data information of a terminal device where the security application client is located based on the ticket acquisition request, generate a first access ticket and a second access ticket associated with the business data resource based on the device application data information, and return the first access ticket and the second access ticket to the security application client as resource access tickets, so that when the security application client identifies that the resource access ticket includes a first type of access ticket and a second type of access ticket, the first type of access ticket is sent to an access agent in the security application client through a first data transmission channel, and the device auxiliary information associated with the terminal device and the second type of access ticket are sent to the access agent through a second data transmission channel; the security transmission level of the first data transmission channel is higher than the security transmission level of the second data transmission channel; 票据校验模块,用于接收所述访问代理通过智能网关发送的票据校验请求,对所述票据校验请求中所携带的第一待校验票据和第二待校验票据分别进行票据校验,得到与所述第一待校验票据相关联的第一票据校验结果和与所述第二待校验票据相关联的第二票据校验结果;所述智能网关部署在所述终端设备中的业务客户端和存储有所述业务数据资源的业务服务器之间;a ticket verification module, configured to receive a ticket verification request sent by the access proxy through an intelligent gateway, and perform ticket verification on a first ticket to be verified and a second ticket to be verified carried in the ticket verification request, respectively, to obtain a first ticket verification result associated with the first ticket to be verified and a second ticket verification result associated with the second ticket to be verified; the intelligent gateway is deployed between a service client in the terminal device and a service server storing the service data resources; 结果通知模块,用于在所述第一票据校验结果指示所述第一待校验票据为所述第一访问票据,且所述第二票据校验结果指示所述第二待校验票据为所述第二访问票据时,通知智能网关在获取到所述访问代理所拦截到的所述业务客户端发送的资源访问请求时,将所述资源访问请求转发给所述业务服务器;所述资源访问请求用于指示所述业务服务器授权所述业务客户端访问所述业务数据资源。A result notification module is used to notify the intelligent gateway to forward the resource access request sent by the business client intercepted by the access agent to the business server when the first ticket verification result indicates that the first ticket to be verified is the first access ticket, and the second ticket verification result indicates that the second ticket to be verified is the second access ticket; the resource access request is used to instruct the business server to authorize the business client to access the business data resources. 12.一种数据资源访问装置,其特征在于,所述装置运行在运行有安全应用客户端的终端设备执行,包括:12. A data resource access device, characterized in that the device is executed on a terminal device running a security application client, comprising: 第一发送模块,用于向安全应用服务器发送针对业务数据资源的票据获取请求;A first sending module, used to send a ticket acquisition request for a business data resource to a security application server; 票据识别模块,用于接收所述安全应用服务器返回的资源访问票据,对所述资源访问票据中携带的第一访问票据和第二访问票据进行票据识别,得到票据识别结果;所述第一访问票据和所述第二访问票据为所述安全应用服务器基于所述票据获取请求中所携带到的所述安全应用客户端所在终端设备的设备应用数据信息所生成的;a ticket identification module, configured to receive the resource access ticket returned by the security application server, and perform ticket identification on the first access ticket and the second access ticket carried in the resource access ticket to obtain a ticket identification result; the first access ticket and the second access ticket are generated by the security application server based on the device application data information of the terminal device where the security application client is located carried in the ticket acquisition request; 第一传输模块,用于在所述票据识别结果指示所述第一访问票据为第一类访问票据时,将所述第一类访问票据通过第一数据传输通道发送至所述安全应用客户端中的访问代理;A first transmission module, configured to send the first type of access ticket to the access agent in the security application client through a first data transmission channel when the ticket identification result indicates that the first access ticket is a first type of access ticket; 第二传输模块,用于在所述票据识别结果指示所述第二访问票据为第二类访问票据时,获取与所述终端设备相关联的设备辅助信息,将所述第二类访问票据和所述设备辅助信息通过第二数据传输通道发送至所述访问代理,以使所述访问代理在获取到所述第一类访问票据和所述第二类访问票据时,将所述第一类访问票据作为第一待识别票据、且将所述第二类访问票据作为第二待识别票据,基于所述第一待识别票据、所述第二待识别票据以及所述设备辅助信息生成票据校验请求,并将所述票据校验请求通过智能网关发送至所述安全应用服务器;所述智能网关部署在所述终端设备中的业务客户端和存储有所述业务数据资源的业务服务器之间。A second transmission module is used to obtain device auxiliary information associated with the terminal device when the ticket identification result indicates that the second access ticket is a second-class access ticket, and send the second-class access ticket and the device auxiliary information to the access agent through a second data transmission channel, so that when the access agent obtains the first-class access ticket and the second-class access ticket, it uses the first-class access ticket as the first ticket to be identified and the second-class access ticket as the second ticket to be identified, generates a ticket verification request based on the first ticket to be identified, the second ticket to be identified and the device auxiliary information, and sends the ticket verification request to the security application server through an intelligent gateway; the intelligent gateway is deployed between the business client in the terminal device and the business server storing the business data resources. 13.一种计算机设备,其特征在于,包括存储器和处理器;13. A computer device, comprising a memory and a processor; 所述存储器与所述处理器相连,所述存储器用于存储计算机程序,所述处理器用于调用所述计算机程序,以使得所述计算机设备执行权利要求1-10任一项所述的方法。The memory is connected to the processor, the memory is used to store a computer program, and the processor is used to call the computer program so that the computer device executes the method according to any one of claims 1 to 10. 14.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机程序,所述计算机程序适于由处理器加载并执行,以使得具有所述处理器的计算机设备执行权利要求1-10任一项所述的方法。14. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, and the computer program is suitable for being loaded and executed by a processor, so that a computer device having the processor executes the method according to any one of claims 1 to 10. 15.一种计算机程序产品,其特征在于,包括计算机程序/指令,所述计算机程序/指令被处理器执行时实现权利要求1-10任一项所述的方法。15. A computer program product, characterized in that it comprises a computer program/instruction, and when the computer program/instruction is executed by a processor, the method according to any one of claims 1 to 10 is implemented.
CN202410063871.1A 2024-01-16 2024-01-16 A data resource access method, device, equipment and medium Pending CN120337236A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410063871.1A CN120337236A (en) 2024-01-16 2024-01-16 A data resource access method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410063871.1A CN120337236A (en) 2024-01-16 2024-01-16 A data resource access method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN120337236A true CN120337236A (en) 2025-07-18

Family

ID=96359677

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410063871.1A Pending CN120337236A (en) 2024-01-16 2024-01-16 A data resource access method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN120337236A (en)

Similar Documents

Publication Publication Date Title
US12192173B2 (en) Network traffic inspection
US11757641B2 (en) Decentralized data authentication
US10958662B1 (en) Access proxy platform
US11457040B1 (en) Reverse TCP/IP stack
US10057282B2 (en) Detecting and reacting to malicious activity in decrypted application data
US10574698B1 (en) Configuration and deployment of decoy content over a network
US9015845B2 (en) Transit control for data
JP5961638B2 (en) System and method for application certification
US8881273B2 (en) Device reputation management
Ravindran et al. A Review on Web Application Vulnerability Assessment and Penetration Testing.
Kellezi et al. Securing Open Banking with Model‐View‐Controller Architecture and OWASP
US11595372B1 (en) Data source driven expected network policy control
US10826901B2 (en) Systems and method for cross-channel device binding
CN117155716B (en) Access verification method and device, storage medium and electronic equipment
US20250039195A1 (en) System and method for file scanning between a source and client in a zero trust environment
Phumkaew et al. Android forensic and security assessment for hospital and stock-and-trade applications in thailand
CN116975805A (en) Data processing method, device, equipment, storage medium and product
Szczepanik et al. Security of mobile banking applications
CN120337236A (en) A data resource access method, device, equipment and medium
CN115130116A (en) Business resource access method, device, equipment, readable storage medium and system
CN116032500B (en) Service access traffic control method, device, equipment and medium
KR102534012B1 (en) System and method for authenticating security level of content provider
Zhang et al. An empirical study of insecure communication in Android apps
US12445438B2 (en) Techniques for managing cookies through a secure web gateway
Howlader User attribute aware multi-factor authentication framework for cloud based systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication