CN107241341B - Access control method and device - Google Patents

Access control method and device Download PDF

Info

Publication number
CN107241341B
CN107241341B CN201710518068.2A CN201710518068A CN107241341B CN 107241341 B CN107241341 B CN 107241341B CN 201710518068 A CN201710518068 A CN 201710518068A CN 107241341 B CN107241341 B CN 107241341B
Authority
CN
China
Prior art keywords
certificate
server
party server
module
party
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710518068.2A
Other languages
Chinese (zh)
Other versions
CN107241341A (en
Inventor
赵岘
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing 58 Information Technology Co Ltd
Original Assignee
Beijing 58 Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing 58 Information Technology Co Ltd filed Critical Beijing 58 Information Technology Co Ltd
Priority to CN201710518068.2A priority Critical patent/CN107241341B/en
Publication of CN107241341A publication Critical patent/CN107241341A/en
Application granted granted Critical
Publication of CN107241341B publication Critical patent/CN107241341B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the invention provides an access control method and device, wherein the method comprises the following steps: receiving a first access request which is sent by terminal equipment and used for accessing a third-party server; sending the certificate of the main server to the terminal equipment so that the terminal equipment can verify the certificate; requesting a third-party server to acquire target data corresponding to the first access request; and after the terminal equipment is confirmed to pass the verification of the received certificate, encrypting the target data according to the received certificate, and sending the encrypted target data to the terminal equipment. For improving the reliability of access control.

Description

Access control method and device
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to an access control method and device.
Background
Currently, an application program may be installed in a terminal device (e.g., a device such as a mobile phone or a computer), and the terminal device may interact with a server corresponding to the application program through the application program to obtain data provided by the server.
In order to ensure the security of the terminal device obtaining data from the server, the terminal device usually performs https access to the server. And in the https access process, the server sends the certificate to the terminal equipment, the terminal equipment verifies the certificate, and after the terminal equipment verifies the certificate, the terminal equipment and the server communicate with each other. Currently, a certificate library is usually pre-stored in a terminal device, and the certificate library includes authority certificates issued by a plurality of authority organizations, so that the terminal device can verify the certificate sent by the server through the certificate in the certificate library. The terminal device may usually verify the authoritative certificate according to the certificate in the certificate bank, and may not verify the non-authoritative certificate.
In the actual application process, a third party access interface can be included in the application program, so that a user can access the third server through the third party interface in the application program. When the terminal device accesses a main server (server corresponding to the application program), the main server sends a certificate of the main server to the terminal device, and when the terminal device accesses a third-party server (server corresponding to the third-party application program), the third-party server sends the certificate to the terminal device. The application manufacturer may determine that the certificate of the main server is authoritative, so that the terminal device may verify the certificate of the main service, but it is not guaranteed that the certificate of each third-party server is also authoritative, and it is not guaranteed that the certificate of the third-party server is verified by the terminal device. When the terminal device cannot verify the certificate of the third-party server, the terminal device cannot access the third-party application program through the application program, so that access is abnormal, and the reliability of access control is poor.
Disclosure of Invention
The embodiment of the invention provides an access control method and device, which improve the reliability of access control.
In a first aspect, an embodiment of the present invention provides an access control method, which is applied to a proxy server corresponding to a main server, and the method includes:
receiving a first access request which is sent by terminal equipment and used for accessing a third-party server;
sending the certificate of the main server to the terminal equipment so that the terminal equipment can verify the certificate;
requesting the third-party server to acquire target data corresponding to the first access request;
and after the terminal equipment is confirmed to pass the verification of the received certificate, encrypting the target data according to the received certificate, and sending the encrypted target data to the terminal equipment.
In a possible implementation manner, after determining that the terminal device passes verification of the received certificate, encrypting the target data according to the received certificate includes:
receiving a private key sent by the terminal equipment, wherein the private key is obtained by encrypting a random number by the terminal equipment according to a received certificate, and the private key is used for indicating that the certificate is verified by the terminal equipment;
and encrypting the target data according to the private key.
In another possible implementation manner, the first access request includes a uniform resource locator URL address of the target data, and accordingly, requesting the third-party server to acquire the target data corresponding to the first access request includes:
sending a data acquisition request to the third-party server according to the URL address;
receiving data which is sent by the third-party server and encrypted through a preset encryption algorithm;
and decrypting the data according to a decryption algorithm corresponding to the preset encryption algorithm to obtain the target data.
In a second aspect, an embodiment of the present invention provides an access control method, which is applied to a terminal device, where an application program is installed in the terminal device, and the method includes:
after a first access request for accessing a third-party server is sent to a proxy server, receiving a certificate of a main server sent by the proxy server, wherein the main server is a server corresponding to the application program;
and verifying the received certificate according to a preset certificate library in the terminal equipment and/or a preset certificate built in the application program, wherein the preset certificate is the certificate of the main server built in the application program.
In a possible implementation mode, before sending the first access request for accessing the third-party server to the proxy server, the method further comprises the step of
Receiving click operation of a user on a third-party access interface;
acquiring the third party server corresponding to the third party access interface;
and determining that the identifier of the third-party server is in a preset server identifier set.
In another possible implementation manner, if it is determined that the third-party server is not in the preset server identifier set, the method includes:
sending a second access request to the third-party server;
receiving a certificate of the third-party server sent by the third-party server;
determining that the received certificate of the third party server is verified.
In another possible implementation manner, verifying the received certificate according to a preset certificate library in the terminal device and/or a preset certificate built in the application program includes:
verifying the received certificate according to the certificate in the preset certificate library;
if the verification is not passed, whether the preset certificate is the same as the received certificate or not is judged, if yes, the received certificate is verified to be passed, and if not, the received certificate is verified to be not passed.
In a third aspect, an embodiment of the present invention provides an access control apparatus, which is applied to a proxy server corresponding to a main server, and includes a receiving module, a sending module, an obtaining module, and an encrypting module, where,
the receiving module is used for receiving a first access request which is sent by the terminal equipment and used for accessing the third-party server;
the sending module is configured to send the certificate of the main server to the terminal device, so that the terminal device verifies the certificate;
the acquisition module is used for requesting the third-party server to acquire target data corresponding to the first access request;
the encryption module is used for encrypting the target data according to the received certificate after the terminal equipment is confirmed to pass the verification of the received certificate;
the sending module is further configured to send the encrypted target data to the terminal device.
In a possible implementation, the encryption module is specifically configured to:
receiving a private key sent by the terminal equipment, wherein the private key is obtained by encrypting a random number by the terminal equipment according to a received certificate, and the private key is used for indicating that the certificate is verified by the terminal equipment;
and encrypting the target data according to the private key.
In another possible implementation manner, the first access request includes a uniform resource locator URL address of the target data, and correspondingly, the obtaining module is specifically configured to:
sending a data acquisition request to the third-party server according to the URL address;
receiving data which is sent by the third-party server and encrypted through a preset encryption algorithm;
and decrypting the data according to a decryption algorithm corresponding to the preset encryption algorithm to obtain the target data.
In a fourth aspect, an embodiment of the present invention provides an access control method, which is applied to a terminal device, where the terminal device has an application installed therein, and includes a sending module, a receiving module, and a verification module, where,
the receiving module is used for receiving a certificate of a main server sent by the proxy server after the sending module sends a first access request for accessing a third-party server to the proxy server, wherein the main server is a server corresponding to the application program;
the verification module is used for verifying the received certificate according to a preset certificate library in the terminal equipment and/or a preset certificate built in the application program, wherein the preset certificate is the certificate of the main server built in the application program.
In one possible embodiment, the apparatus further comprises an obtaining module and a determining module, wherein,
the receiving module is further used for receiving the click operation of the user on the third-party access interface before the sending module sends the first access request for accessing the third-party server to the proxy server;
the acquisition module is used for acquiring the third-party server corresponding to the third-party access interface;
the determining module is configured to determine that the identifier of the third-party server is in a preset server identifier set.
In another possible implementation manner, the sending module is further configured to send a second access request to the third-party server when the determining module determines that the third-party server is not in the preset server identifier set;
the receiving module is further configured to receive a certificate of the third-party server sent by the third-party server;
the verification module is further configured to determine that the received certificate of the third-party server is verified.
In another possible implementation, the verification module is specifically configured to:
verifying the received certificate according to the certificate in the preset certificate library;
if the verification is not passed, whether the preset certificate is the same as the received certificate or not is judged, if yes, the received certificate is verified to be passed, and if not, the received certificate is verified to be not passed.
The access control method and the access control device provided by the embodiment of the invention have the advantages that when the terminal equipment accesses the third-party server, the terminal device sends a first access request for accessing the third-party server to the proxy server, the proxy server sends the certificate of the main server to the terminal device, according to the preset certificate in the preset certificate library and/or the application program, the certificate is verified, so that, as long as the certificate sent by the proxy server to the terminal device has not been tampered with, the terminal equipment can be ensured to pass the verification of the received certificate, and then the terminal equipment can be ensured to normally access the third-party server through the proxy server, so that the problem that the third-party server cannot be accessed through the application program due to the fact that the certificate of the third-party server is not verified is solved, and the reliability of access control is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario of an access control method according to an embodiment of the present invention;
fig. 2 is a first flowchart of an access control method according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating a second access control method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention;
fig. 5 is a first schematic structural diagram of another access control apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of another access control apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic view of an application scenario of an access control method according to an embodiment of the present invention. Referring to fig. 1, the terminal device 101, the main server 102, the proxy server 103, and the third party server 104 are included. An application program is installed in the terminal device 101, and the application program includes a third party access interface of a third party server. The main server 102 and the proxy server 103 are servers corresponding to the application program in the terminal device 101, wherein the main server 102 is used for providing data information required by the application program, and the proxy server 103 provides a proxy function for the main server 102. The third-party server 104 is a server corresponding to a third-party access interface in the application program in the terminal device 101.
In the present application, when the terminal device 101 needs to obtain data in the host server 102 through the application program, the terminal device 102 directly performs https access to the host server 102, and the host server 102 sends the certificate of the host server 102 to the terminal device. When the terminal device 101 accesses the third-party server through the third-party access interface in the application program, the terminal device 101 performs https access to the third server 104 through the proxy server 103 of the main server 102, and in the process, the third-party server 104 does not need to send the certificate of the third-party server 104 to the terminal device 101, but the proxy server 103 sends the certificate of the main server 102 to the terminal device 101.
As can be seen from the above, in the present application, no matter the terminal device 101 accesses the main server 102 or the third-party server 104, the certificate of the main server 102 is sent to the terminal device, so that the terminal device 101 verifies the certificate of the main server 102, and the problem that the third-party server cannot be accessed due to the fact that the certificate of the third-party server is not verified is avoided.
The technical means shown in the present application will be described in detail below with reference to specific examples. It should be noted that the following specific embodiments may be combined with each other, and description of the same or similar contents is not repeated in different embodiments.
Fig. 2 is a first flowchart of an access control method according to an embodiment of the present invention. Referring to fig. 2, the method may include:
s201, the terminal device sends a first access request for accessing the third-party server to the proxy server.
In an embodiment of the present invention, the first access request is an https-based request.
And an application program is installed in the terminal equipment, and a third party access interface for accessing a third party server is arranged in the application program. Optionally, the third party access interface may correspond to a link of a third party server. When the user performs preset operation, such as click operation, on the third-party access interface, the terminal device may access the third-party server through the proxy server.
Optionally, the terminal device sends a first access request for accessing the third-party server to the proxy server. Optionally, the first access request may carry a URL of the third-party server, so that the proxy server may obtain, according to the URL, content that needs to be fed back to the terminal device from the third-party server. Of course, the first access request may further include other contents, and this is not specifically limited in this embodiment of the present invention.
S202, the proxy server sends the certificate of the main server to the terminal equipment.
In the embodiment of the present invention, the certificate stored in the proxy server is the certificate of the main server, and therefore, after the proxy server receives the first access request, the proxy server transmits the certificate of the main server to the terminal device.
S203, the terminal equipment verifies the received certificate.
Optionally, the certificate of the main server is preset in the application program, for example, the certificate of the main server may be built in the application program when the application program is issued. Correspondingly, after the terminal device receives the certificate, the terminal device can verify the certificate according to a preset certificate library in the terminal device and/or a preset certificate in the application program. The preset certificate library comprises authority certificates issued by a plurality of authorities.
Optionally, the terminal device may verify the received certificate according to the certificate in the preset certificate repository, and if the received certificate passes the verification, the verification of the certificate of the main server is finished. If the verification fails, whether the certificate of the main server is the same as the certificate of the main server preset in the application program or not is judged, if yes, the certificate is verified to be passed, and if not, the certificate is verified to be failed. It should be noted that, the terminal device may refer to any process in the prior art for the verification process of the received certificate through the certificate in the preset certificate repository, and details are not described here.
Of course, in the actual application process, the received certificate may also be directly verified according to a preset certificate built in the application program.
In this process, when the certificates included in the certificate store in the terminal device are not complete enough, the terminal device may not verify the received certificate according to the certificate in the preset certificate store. At this time, the received certificate can be verified according to a preset certificate built in the application program, the certificate is usually not attacked because the certificate built in the application program is the certificate of the main server, and when the certificate received by the terminal device is not tampered, the certificate received by the terminal device is the certificate of the main server, so that the certificate received by the terminal device can be ensured to be consistent with the preset certificate built in the application program, and the terminal device can be ensured to pass the verification of the received certificate. By the method, the reliability of the terminal equipment for verifying the received certificate can be improved.
It should be noted that, for the certificate directly transmitted by the host server, the terminal device may also verify the received certificate by the above-mentioned transmission.
S204, the proxy server sends a data acquisition request to the third-party server.
After receiving the first access request sent by the terminal device, the proxy server may generate a data acquisition request according to the first access request, and send the data acquisition request to the third-party server.
S205, the third-party server sends the target data to the proxy server.
And after the third-party server receives the data acquisition request, acquiring corresponding target data and sending the target data to the proxy server.
Optionally, in order to ensure the security of data transmission between the third-party server and the proxy server, the third-party server may encrypt the target data according to an encryption algorithm agreed with the proxy server, and send the encrypted target data to the proxy server.
S206, after the terminal equipment verifies the received certificate, the terminal equipment sends a private key to the proxy server, and the private key is obtained by encrypting the random number according to the certificate by the terminal equipment.
After the terminal equipment passes the verification of the received certificate, the terminal equipment generates a random number, encrypts the generated random number through the received certificate to obtain a private key, and sends the private key to the proxy server.
It should be noted that S204-S205 and S206 may be executed sequentially or in parallel, and of course, S206 may be executed first and then S04-S205 may be executed, and this order is not specifically limited in the embodiment of the present invention.
When S204-S205 are executed first and then S206 is executed, before the terminal device verifies the received certificate, the proxy server obtains the target data from the third-party server first, so that after the terminal device verifies the received certificate, the proxy server can quickly send the target data to the terminal device, and further, the efficiency of sending the target data to the terminal device by the proxy server is high.
When the step S206 is executed first and the step S204-S205 are executed later, the proxy server requests the third-party server to acquire the target data only after the terminal device verifies the received certificate, and correspondingly, when the terminal device does not verify the received certificate, the proxy server does not need to request the third-party server to acquire the target data.
S207, the proxy server encrypts the target data according to the private key.
After the proxy server receives the private key, the proxy server encrypts the target data according to the private key. It should be noted that, the process of encrypting the target data by the proxy server according to the private key may refer to an encryption process in the prior art, which is not described herein again.
S208, the proxy server sends the target data encrypted according to the private key to the terminal equipment.
It should be noted that, in the process of the present communication between the proxy server and the terminal device, the data exchanged between the proxy server and the terminal device is encrypted by the private key, which is not described in detail herein.
According to the access control method provided by the embodiment of the invention, when the terminal equipment accesses the third-party server, the terminal equipment sends the first access request for accessing the third-party server to the proxy server, the proxy server sends the certificate of the main server to the terminal equipment, and the terminal equipment verifies the certificate according to the preset certificate in the preset certificate library and/or the application program.
In an actual application process, a plurality of third-party access interfaces may be set in an application program, and in order to save cost, an application program manufacturer may only proxy a third-party server corresponding to a part of the third-party access interfaces, that is, a terminal device accesses a part of the third-party servers through the proxy server. Correspondingly, a preset server identifier set can be set in the application program, when the identifier of the third-party server is in the preset server identifier set, the third-party server is accessed through the proxy server, and if not, the third-party server is directly accessed. Specifically, please refer to the embodiment shown in fig. 3.
Fig. 3 is a flowchart illustrating a second access control method according to an embodiment of the present invention. On the basis of the embodiment shown in fig. 2, referring to fig. 3, the method may include:
s301, the terminal equipment receives click operation of the user on the third-party access interface.
S302, the terminal equipment acquires a third party server corresponding to the third party access interface.
S303, the terminal equipment judges whether the identifier of the third-party server is in a preset server identifier set.
If so, S304-314 are performed.
If not, S314-317 is performed.
The preset server identification set comprises identifications of a plurality of servers, and for a third-party server corresponding to each identification in the preset server identification set, when the terminal equipment accesses the part of the third-party servers, the terminal equipment needs to access through the proxy server.
S304, the terminal device sends a first access request for accessing the third-party server to the proxy server, wherein the first access request comprises the URL address of the target data.
S305, the proxy server sends the certificate of the main server to the terminal equipment.
S306, the terminal equipment verifies the certificate according to a preset certificate library in the terminal equipment and/or a preset certificate in the application program.
S307, after the terminal equipment passes the verification of the received certificate, generating a random number, and encrypting the random number according to the received certificate to obtain a private key.
S308, the terminal equipment sends the private key to the proxy server.
S309, sending a data acquisition request to a third-party server.
S310, the third party server obtains the target data and encrypts the target data through an encryption algorithm.
S311, the third party server sends the encrypted target data to the proxy server.
S312, the proxy server decrypts the encrypted target data according to the decryption algorithm corresponding to the encryption algorithm to obtain the target data.
S313, the proxy server encrypts the target data according to the private key.
S314, the proxy server sends the target data encrypted according to the private key to the terminal equipment.
It should be noted that, the execution process of S304-S314 may refer to the embodiment shown in fig. 2, and is not described herein again.
And S315, the terminal equipment sends a second access request to the third-party server.
S316, the third-party server sends the certificate of the third-party server to the terminal equipment.
And S317, the terminal equipment determines that the received certificate of the third-party server is verified.
In S317, the terminal device does not verify the received certificate of the third-party server, and directly determines that the received certificate of the third-party server passes verification.
It should be noted that, after S317, the terminal device generates a random number, encrypts the random number according to the received certificate of the third-party server to generate a private key, and during a process of performing communication after the terminal device and the third-party server, data transmitted to each other are encrypted by using the private key, which is not described in detail herein.
Fig. 4 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention. The device, applied to a proxy server corresponding to a main server, as shown in fig. 4, includes a receiving module 11, a sending module 12, an obtaining module 13, and an encrypting module 14, wherein,
the receiving module 11 is configured to receive a first access request sent by a terminal device and used for accessing a third-party server;
the sending module 12 is configured to send the certificate of the main server to the terminal device, so that the terminal device verifies the certificate;
the obtaining module 13 is configured to request the third-party server to obtain target data corresponding to the first access request;
the encryption module 14 is configured to encrypt the target data according to the received certificate after it is determined that the terminal device passes verification of the received certificate;
the sending module 12 is further configured to send the encrypted target data to the terminal device.
The access control device provided in the embodiment of the present invention may implement the technical solutions shown in the above method embodiments, and the implementation principles and beneficial effects thereof are similar, and are not described herein again.
In a possible implementation, the encryption module 14 is specifically configured to:
receiving a private key sent by the terminal equipment, wherein the private key is obtained by encrypting a random number by the terminal equipment according to a received certificate, and the private key is used for indicating that the certificate is verified by the terminal equipment;
and encrypting the target data according to the private key.
In another possible implementation manner, the first access request includes a uniform resource locator URL address of the target data, and correspondingly, the obtaining module 13 is specifically configured to:
sending a data acquisition request to the third-party server according to the URL address;
receiving data which is sent by the third-party server and encrypted through a preset encryption algorithm;
and decrypting the data according to a decryption algorithm corresponding to the preset encryption algorithm to obtain the target data.
The access control device provided in the embodiment of the present invention may implement the technical solutions shown in the above method embodiments, and the implementation principles and beneficial effects thereof are similar, and are not described herein again.
Fig. 5 is a first schematic structural diagram of another access control apparatus according to an embodiment of the present invention. The device is applied to terminal equipment, and an application program is installed in the terminal equipment. Referring to fig. 5, the apparatus may include a sending module 21, a receiving module 22, and a verifying module 23, wherein,
the receiving module 22 is configured to receive a certificate of a main server sent by a proxy server after the sending module 21 sends a first access request for accessing a third-party server to the proxy server, where the main server is a server corresponding to the application program;
the verification module 23 is configured to verify the received certificate according to a preset certificate library in the terminal device and/or a preset certificate built in the application program, where the preset certificate is a certificate of the main server built in the application program.
The access control device provided in the embodiment of the present invention may implement the technical solutions shown in the above method embodiments, and the implementation principles and beneficial effects thereof are similar, and are not described herein again.
Fig. 6 is a schematic structural diagram of another access control apparatus according to an embodiment of the present invention. On the basis of the embodiment shown in fig. 5, please refer to fig. 6, the apparatus further includes an obtaining module 24 and a determining module 25, wherein,
the receiving module 22 is further configured to receive a click operation of a user on a third-party access interface before the sending module 21 sends a first access request for accessing a third-party server to a proxy server;
the obtaining module 24 is configured to obtain the third-party server corresponding to the third-party access interface;
the determining module 25 is configured to determine that the identifier of the third-party server is in a preset server identifier set.
In a possible implementation manner, the sending module 21 is further configured to send a second access request to the third-party server when the determining module 25 determines that the third-party server is not in the preset server identifier set;
the receiving module 22 is further configured to receive the certificate of the third-party server sent by the third-party server;
the verification module 23 is further configured to determine that the received certificate of the third-party server is verified.
In another possible implementation, the verification module 23 is specifically configured to:
verifying the received certificate according to the certificate in the preset certificate library;
if the verification is not passed, whether the preset certificate is the same as the received certificate or not is judged, if yes, the received certificate is verified to be passed, and if not, the received certificate is verified to be not passed.
The access control device provided in the embodiment of the present invention may implement the technical solutions shown in the above method embodiments, and the implementation principles and beneficial effects thereof are similar, and are not described herein again.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention, and are not limited thereto; although embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the embodiments of the present invention.

Claims (12)

1. An access control method is applied to a proxy server corresponding to a main server, and the method comprises the following steps:
receiving a first access request which is sent by terminal equipment and used for accessing a third-party server;
sending the certificate of the main server to the terminal equipment so that the terminal equipment can verify the certificate;
requesting the third-party server to acquire target data corresponding to the first access request;
after the terminal equipment is confirmed to pass the verification of the received certificate, receiving a private key sent by the terminal equipment, encrypting the target data according to the received private key, and sending the encrypted target data to the terminal equipment, wherein the private key is obtained by encrypting a random number by the terminal equipment according to the received certificate and is used for indicating that the terminal equipment passes the verification of the certificate.
2. The method of claim 1, wherein the first access request includes a Uniform Resource Locator (URL) address of the target data, and accordingly, requesting the third-party server to obtain the target data corresponding to the first access request includes:
sending a data acquisition request to the third-party server according to the URL address;
receiving data which is sent by the third-party server and encrypted through a preset encryption algorithm;
and decrypting the data according to a decryption algorithm corresponding to the preset encryption algorithm to obtain the target data.
3. An access control method applied to a terminal device having an application installed therein, the method comprising:
after a first access request for accessing a third-party server is sent to a proxy server, receiving a certificate of a main server sent by the proxy server, wherein the main server is a server corresponding to the application program;
and verifying the received certificate according to a preset certificate library in the terminal equipment and/or a preset certificate built in the application program, wherein the preset certificate is the certificate of the main server built in the application program.
4. The method of claim 3, further comprising, prior to sending the first access request to the proxy server for access to the third-party server
Receiving click operation of a user on a third-party access interface;
acquiring the third party server corresponding to the third party access interface;
and determining that the identifier of the third-party server is in a preset server identifier set.
5. The method of claim 4, wherein if it is determined that the third-party server is not in the set of predetermined server identities, the method comprises:
sending a second access request to the third-party server;
receiving a certificate of the third-party server sent by the third-party server;
determining that the received certificate of the third party server is verified.
6. The method according to any one of claims 4 to 5, wherein verifying the received certificate according to a preset certificate library in the terminal device and/or a preset certificate built in the application program comprises:
verifying the received certificate according to the certificate in the preset certificate library;
if the verification is not passed, whether the preset certificate is the same as the received certificate or not is judged, if yes, the received certificate is verified to be passed, and if not, the received certificate is verified to be not passed.
7. An access control device is applied to a proxy server corresponding to a main server and comprises a receiving module, a sending module, an obtaining module and an encryption module, wherein,
the receiving module is used for receiving a first access request which is sent by the terminal equipment and used for accessing the third-party server;
the sending module is configured to send the certificate of the main server to the terminal device, so that the terminal device verifies the certificate;
the acquisition module is used for requesting the third-party server to acquire target data corresponding to the first access request;
the encryption module is used for receiving a private key sent by the terminal equipment after the terminal equipment is confirmed to pass the verification of the received certificate, and encrypting the target data according to the received private key, wherein the private key is obtained by encrypting a random number by the terminal equipment according to the received certificate and is used for indicating that the terminal equipment passes the verification of the certificate;
the sending module is further configured to send the encrypted target data to the terminal device.
8. The apparatus of claim 7, wherein the first access request includes a Uniform Resource Locator (URL) address of the target data, and correspondingly, the obtaining module is specifically configured to:
sending a data acquisition request to the third-party server according to the URL address;
receiving data which is sent by the third-party server and encrypted through a preset encryption algorithm;
and decrypting the data according to a decryption algorithm corresponding to the preset encryption algorithm to obtain the target data.
9. An access control device is applied to terminal equipment, an application program is installed in the terminal equipment, the device comprises a sending module, a receiving module and an authentication module, wherein,
the receiving module is used for receiving a certificate of a main server sent by the proxy server after the sending module sends a first access request for accessing a third-party server to the proxy server, wherein the main server is a server corresponding to the application program;
the verification module is used for verifying the received certificate according to a preset certificate library in the terminal equipment and/or a preset certificate built in the application program, wherein the preset certificate is the certificate of the main server built in the application program.
10. The apparatus of claim 9, further comprising an acquisition module and a determination module, wherein,
the receiving module is further used for receiving the click operation of the user on the third-party access interface before the sending module sends the first access request for accessing the third-party server to the proxy server;
the acquisition module is used for acquiring the third-party server corresponding to the third-party access interface;
the determining module is configured to determine that the identifier of the third-party server is in a preset server identifier set.
11. The apparatus of claim 10,
the sending module is further configured to send a second access request to the third-party server if the determining module determines that the third-party server is not in the preset server identifier set;
the receiving module is further configured to receive a certificate of the third-party server sent by the third-party server;
the verification module is further configured to determine that the received certificate of the third-party server is verified.
12. The apparatus according to any one of claims 9-11, wherein the validation module is specifically configured to:
verifying the received certificate according to the certificate in the preset certificate library;
if the verification is not passed, whether the preset certificate is the same as the received certificate or not is judged, if yes, the received certificate is verified to be passed, and if not, the received certificate is verified to be not passed.
CN201710518068.2A 2017-06-29 2017-06-29 Access control method and device Active CN107241341B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710518068.2A CN107241341B (en) 2017-06-29 2017-06-29 Access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710518068.2A CN107241341B (en) 2017-06-29 2017-06-29 Access control method and device

Publications (2)

Publication Number Publication Date
CN107241341A CN107241341A (en) 2017-10-10
CN107241341B true CN107241341B (en) 2020-07-07

Family

ID=59990811

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710518068.2A Active CN107241341B (en) 2017-06-29 2017-06-29 Access control method and device

Country Status (1)

Country Link
CN (1) CN107241341B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557255A (en) * 2018-05-31 2019-12-10 北京京东尚科信息技术有限公司 certificate management method and device
CN111193698B (en) * 2019-08-22 2021-09-28 腾讯科技(深圳)有限公司 Data processing method, device, terminal and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7299354B2 (en) * 2003-09-30 2007-11-20 Intel Corporation Method to authenticate clients and hosts to provide secure network boot
CN102238161A (en) * 2010-04-23 2011-11-09 富士施乐株式会社 Communication control device and communication control system
US8386394B1 (en) * 2011-04-04 2013-02-26 Google Inc. Verifying that a purchasing request is legitimate
CN103067338A (en) * 2011-10-20 2013-04-24 上海贝尔股份有限公司 Third party application centralized safety management method and system and corresponding communication system
CN103200176A (en) * 2013-02-27 2013-07-10 中国工商银行股份有限公司 Identification method, identification device and identification system based on bank independent communication channel
CN103269270A (en) * 2013-04-25 2013-08-28 安徽杨凌科技有限公司 Real-name authentication safe login method and system based on cell phone number
WO2015195751A1 (en) * 2014-06-19 2015-12-23 Microsoft Technology Licensing, Llc Securing communications with enhanced media platforms
CN105530253A (en) * 2015-12-17 2016-04-27 河南大学 Wireless sensor network access authentication method based on CA certificate and under Restful architecture
EP2602758B1 (en) * 2010-07-08 2016-08-24 Korea Internet & Security Agency Electronic document distribution system
CN106789897A (en) * 2016-11-15 2017-05-31 沃通电子认证服务有限公司 For the digital certificate authentication method and system of application program for mobile terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130061038A1 (en) * 2011-09-03 2013-03-07 Barracuda Networks, Inc. Proxy Apparatus for Certificate Authority Reputation Enforcement in the Middle

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7299354B2 (en) * 2003-09-30 2007-11-20 Intel Corporation Method to authenticate clients and hosts to provide secure network boot
CN102238161A (en) * 2010-04-23 2011-11-09 富士施乐株式会社 Communication control device and communication control system
EP2602758B1 (en) * 2010-07-08 2016-08-24 Korea Internet & Security Agency Electronic document distribution system
US8386394B1 (en) * 2011-04-04 2013-02-26 Google Inc. Verifying that a purchasing request is legitimate
CN103067338A (en) * 2011-10-20 2013-04-24 上海贝尔股份有限公司 Third party application centralized safety management method and system and corresponding communication system
CN103200176A (en) * 2013-02-27 2013-07-10 中国工商银行股份有限公司 Identification method, identification device and identification system based on bank independent communication channel
CN103269270A (en) * 2013-04-25 2013-08-28 安徽杨凌科技有限公司 Real-name authentication safe login method and system based on cell phone number
WO2015195751A1 (en) * 2014-06-19 2015-12-23 Microsoft Technology Licensing, Llc Securing communications with enhanced media platforms
CN105530253A (en) * 2015-12-17 2016-04-27 河南大学 Wireless sensor network access authentication method based on CA certificate and under Restful architecture
CN106789897A (en) * 2016-11-15 2017-05-31 沃通电子认证服务有限公司 For the digital certificate authentication method and system of application program for mobile terminal

Also Published As

Publication number Publication date
CN107241341A (en) 2017-10-10

Similar Documents

Publication Publication Date Title
CN108512846B (en) Bidirectional authentication method and device between terminal and server
JP4638912B2 (en) Method for transmitting a direct proof private key in a signed group to a device using a distribution CD
EP2954448B1 (en) Provisioning sensitive data into third party network-enabled devices
CN110519309B (en) Data transmission method, device, terminal, server and storage medium
US7802092B1 (en) Method and system for automatic secure delivery of appliance updates
CN106571951B (en) Audit log obtaining method, system and device
CN113596046B (en) Bidirectional authentication method, device, computer equipment and computer readable storage medium
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
CN105471833A (en) Safe communication method and device
CN106790183A (en) Logging on authentication method of calibration, device
CN109831311B (en) Server verification method, system, user terminal and readable storage medium
CN111814132B (en) Security authentication method and device, security authentication chip and storage medium
JP2014006691A (en) Device authentication method and system
CN114793184B (en) Security chip communication method and device based on third-party key management node
CN106992978B (en) Network security management method and server
CN101582876A (en) Method, device and system for registering user generated content (UGC)
CN107241341B (en) Access control method and device
CN105308611A (en) Automated content signing for point-of-sale applications in fuel dispensing environments
CN113505353A (en) Authentication method, device, equipment and storage medium
CN110636503B (en) Data encryption method, device, equipment and computer readable storage medium
CN110034922B (en) Request processing method, processing device, request verification method and verification device
CN109981667B (en) User data transmission method and device
US20090210719A1 (en) Communication control method of determining whether communication is permitted/not permitted, and computer-readable recording medium recording communication control program
CN108429621B (en) Identity verification method and device
CN110602075A (en) File stream processing method, device and system for encryption access control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant