CN109194696A - A kind of data-interface non-proliferation method - Google Patents
A kind of data-interface non-proliferation method Download PDFInfo
- Publication number
- CN109194696A CN109194696A CN201811293009.0A CN201811293009A CN109194696A CN 109194696 A CN109194696 A CN 109194696A CN 201811293009 A CN201811293009 A CN 201811293009A CN 109194696 A CN109194696 A CN 109194696A
- Authority
- CN
- China
- Prior art keywords
- access
- password
- account
- interface
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 230000035755 proliferation Effects 0.000 title claims abstract description 15
- TVZRAEYQIKYCPH-UHFFFAOYSA-N 3-(trimethylsilyl)propane-1-sulfonic acid Chemical compound C[Si](C)(C)CCCS(O)(=O)=O TVZRAEYQIKYCPH-UHFFFAOYSA-N 0.000 claims description 21
- 230000008676 import Effects 0.000 claims description 4
- 230000004048 modification Effects 0.000 claims description 3
- 238000012986 modification Methods 0.000 claims description 3
- 238000009792 diffusion process Methods 0.000 abstract description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- PWPJGUXAGUPAHP-UHFFFAOYSA-N lufenuron Chemical compound C1=C(Cl)C(OC(F)(F)C(C(F)(F)F)F)=CC(Cl)=C1NC(=O)NC(=O)C1=C(F)C=CC=C1F PWPJGUXAGUPAHP-UHFFFAOYSA-N 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of data-interface non-proliferation methods, during by service interface of the client-side request using server end, dynamic password is generated to the historical factors such as an access address, preceding primary access password, preceding access time before the service interface using account;It is accessed safety check using the dynamic password;Expendable characteristic is only capable of using the dynamic password to judge whether the service interface allows to be used.Data-interface non-proliferation method of the invention has prevented bring service interface diffusion problem after service interface password is passively revealed;It greatly improves authorized user and actively reveals the cost of service interface password, to reduce the diffusion problem of service interface.
Description
Technical field
The present invention relates to network technique field more particularly to a kind of data-interface non-proliferation methods.
Background technique
Many application programs use the data of isomery to store behind.Most of business needs to carry out safety by Data Mart
, managed data access, data service affairs, data transmission and verifying.In SOA, the data of enterprise are exposed into clothes
Business is exactly data service from bottom storage decoupling.
WSO2 DSS(Data Services Server, data access servers) make SOA(Service-Oriented
Architecture, Enterprise SOA) exploitation become to be particularly easy to, provide a platform easy to use: integrated
Data storage, creation complex data view, trustship separate sources data (such as web services or REST class of WS-* type
The web resource of type).
DSS is mainly by different data sources (such as relevant database, csv file, Excel table, Google
Spreadsheet etc.) data generate and issue into service interface, it can be achieved that Zero-code can be quickly generated service interface.
In addition, DSS system carries efficient container, the operation of supporting interface can be stablized, and there is good oncurrent processing ability.
Browser or program means access service interface can be used to obtain data for client.DSS can provide based on user name
With the safe access control and safe transmission of password authentification.Based on this security control, the data of enterprise can pass through service interface
Form authorization a certain user access, reach the target of data access range-controllable.If but authorized user accidentally connects service
Port address, user name and password are spread to other users, then this parameter access service interface can also be used in other users, it is clear that clothes
Business interface is spread in this course, and enterprise is ignorant.
The case where having issued, and having been spread in service interface for this proposes a kind of service herein for property and connects
The effective ways of mouth non-proliferation, can be obviously improved the access safety of business data.
Summary of the invention
The purpose of the present invention is to propose to a kind of methods based on service interface access history authentication.
For achieving the above object, the technical scheme is that a kind of data-interface non-proliferation method, comprising:
During by service interface of the client request using server end,
Using account to the history such as an access address, preceding primary access password, preceding access time before the service interface
Factor generates dynamic password;
It is accessed safety check using the dynamic password;
Expendable characteristic is only capable of using the dynamic password to judge whether the service interface allows to be used.
Preferably, a time dynamic password generator is arranged for DSS in the server end, including DSS, and the dynamic password is raw
It grows up to be a useful person on the basis of not changing existing DSS framework, the account access password of service interface is modified by DSS control interface.
Preferably, the time dynamic password generator modification account access password includes:
Account initialization generates an actual use by Encryption Algorithm according to account information " initial password+address+time "
Password;
The Access Events information of the service interface, access time, access address are obtained by server end DSS control interface
Deng, in conjunction with access when access password, pass through Encryption Algorithm generate an actual use password.
Preferably, an account manager is arranged for applications client, to answer in the client-side, including applications client
Account service is provided with client;When applications client needs to access service, access corresponding server is obtained from account manager
Account information, including account and password;After applications client accesses application success, it is close that notice account manager calculates update dynamic
Code.
Preferably, the account manager calculating update dynamic password includes:
Account initialization, it is close by Encryption Algorithm one actual use of generation according to account information " initial password+address+time "
Code;
After applications client access services successfully, according to access time, access address, access password, generated by Encryption Algorithm
One actual use password
Account information is imported by UKey, and import information mainly includes last access address, access time, accesses password,
Use when access encrypted message will be used to access service next time.
The beneficial effects of the present invention are:
Data-interface non-proliferation method of the invention has prevented bring service interface after service interface password is passively revealed and has spread
Problem;It greatly improves authorized user and actively reveals the cost of service interface password, so that the diffusion for reducing service interface is asked
Topic.
Detailed description of the invention
Fig. 1 is a kind of data-interface non-proliferation method logic diagram of the present invention.
The drawings herein are incorporated into the specification and forms part of this specification, and shows and meets implementation of the invention
Example, and be used to explain the principle of the present invention together with specification.
Specific embodiment
Below in conjunction with attached drawing, technical scheme in the embodiment of the invention is clearly and completely described.
As shown in Figure 1, a kind of data-interface non-proliferation embodiment of the method for the present invention, comprising:
During by service interface of the client request using server end,
Using account to the history such as an access address, preceding primary access password, preceding access time before the service interface
Factor generates dynamic password;
It is accessed safety check using the dynamic password;
Expendable characteristic is only capable of using the dynamic password to judge whether the service interface allows to be used.
One, server end, including DSS, the time dynamic password generator for DSS setting is an independent program, not
On the basis of changing existing DSS framework, the account access password of special services interface can be modified by DSS control interface
Time dynamic password generator modifies account access password, and there are two links:
Account initialization passes through encryption according to account information " address initial password+0.0.0.0()+19700101(time) "
Algorithm generates an actual use password.
Can by DSS control interface obtain special services interface Access Events information, access time, access address etc.,
Access password when in conjunction with access generates an actual use password by Encryption Algorithm.
After dynamic password generates, generator can modify the account access password of special services interface by DSS control interface,
Come into force the dynamic password of service interface.
Two, client-side, including one " account manager " is set for applications client, account is provided for applications client
Service.Applications client is for DSS, and applications client is the CLIENT PROGRAM using data service.
When client needs to access service, access corresponding server account information, including account are obtained from " account manager "
Family and password.After applications client accesses application success, it is also necessary to notify " account manager " calculates to update dynamic password.
Applications client, " account manager " modify link there are three account informations:
Account initialization passes through encryption according to account information " address initial password+0.0.0.0()+19700101(time) "
Algorithm generates an actual use password.
After applications client access services successfully, according to access time, access address, access password, pass through Encryption Algorithm
Generate an actual use password.
Account information can import (accordingly having export function) by media such as UKey, and import information mainly includes upper one
Secondary access address, access time, access password, practical only access encrypted message will be used to make when accessing service next time
With.
Three, dynamic password change procedure is as follows
Server end and client have same change procedure, as shown in table 1 below
| Last password | Last client address | Last access time | More new password | |
| Before accessing for the first time | LnitKey | 0.0.0.0 | 19700101 | X89C05 |
| After accessing for the first time | X89C05 | 10.2.3.1 | 20180608 | FCD0X3 |
| Before back-call | FCD0X3 | 10.2.3.1 | 20180609 | 47XGF6 |
| After third time accesses | 47XGF6 | 10.8.55.6 | 20180610 | 89XGV3 |
| …… |
(1) after account initialization, dynamic password is calculated by initial password, such as " the 1st access before " the 1st article in table, after calculating
Password is " X89C05 ", and the client address used when calculating is " 0.0.0.0 ", and the time is " 19700101 ", last close
Code is account initial password.
(2) password " X89C05 ", after access, account information are used by client 10.2.3.1 access service for the first time
2nd article is updated in table, and updated password is " FCD0X3 ".
(3) second is also 10.2.3.1 access, and using password " FCD0X3 ", after access, account information is updated in table
3rd article, updated password is " 47XGF6 ".
(4) client variation is 10.8.55.6 access (in table after the 3rd access, client address) when third time accesses, and is made
With password " 47XGF6 ", after access, account information is updated in table the 3rd article, and updated password is " 89XGV3 ".
Third time access is somewhat special: the client address that account uses is changed:
Client: it needs the account information of " after the 2nd access " means are imported by the export that private client provides, by account
Family information moves to new client from frequent customer end, considers for secrecy, and transition process account information does not have readability.
Server end: from service access password angle not client perception end address transfer, but server end is in service access
Afterwards, during dynamic more new password, this variation can be perceived, server end keeps a record as maintenance information convenient for audit.
Four, dynamic password calculation method
(1) password generation algorithm can configure optional in server and client side, such as MD5, DES, AES function;
(2) address used when calculating and temporal information, as shown in process above, first time access address is full zero-address, i.e.,
0.0.0.0;Access time is 19700101.Subsequent calculating takes actual parameter.
(3) parameter used in cryptographic calculations, it is above-mentioned to simply facilitate description and be exemplified as address and time and last close
Code, when realization, can have more actual conditions and determine that main principle is: server end and client can equity obtain identical value
Parameter.
Cause specific leads to server end and client account information difference, and when causing service that cannot access, it needs
Server and client side reverts to init state, i.e., first recording status in upper table respectively.Its synchronization means is not at this
Case range, such as pass through service request WorkForm System.
Described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on the present invention
In embodiment, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, shall fall within the protection scope of the present invention.
Claims (5)
1. a kind of data-interface non-proliferation method characterized by comprising
During by service interface of the client-side request using server end,
Using account to the history such as an access address, preceding primary access password, preceding access time before the service interface
Factor generates dynamic password;
It is accessed safety check using the dynamic password;
Expendable characteristic is only capable of using the dynamic password to judge whether the service interface allows to be used.
2. data-interface non-proliferation method according to claim 1, which is characterized in that the server end, including DSS,
One time dynamic password generator is set for DSS, the time dynamic password generator passes through on the basis of not changing existing DSS framework
The account access password of DSS control interface modification service interface.
3. data-interface non-proliferation method according to claim 2, which is characterized in that the time dynamic password generator modification
Account access password includes:
Account initialization generates an actual use by Encryption Algorithm according to account information " initial password+address+time "
Password;
The Access Events information of the service interface, access time, access address are obtained by server end DSS control interface
Deng, in conjunction with access when access password, pass through Encryption Algorithm generate an actual use password.
4. data-interface non-proliferation method according to claim 1, which is characterized in that the client-side, including application
Client is arranged an account manager for applications client, provides account service for applications client;Applications client needs to visit
When asking service, access corresponding server account information, including account and password are obtained from account manager;Applications client access
After application success, notice account manager, which calculates, updates dynamic password.
5. data-interface non-proliferation method according to claim 4, which is characterized in that the account manager, which calculates, to be updated
Dynamic password includes:
Account initialization, it is close by Encryption Algorithm one actual use of generation according to account information " initial password+address+time "
Code;
After applications client access services successfully, according to access time, access address, access password, generated by Encryption Algorithm
One actual use password
Account information is imported by UKey, and import information mainly includes last access address, access time, accesses password,
Use when access encrypted message will be used to access service next time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811293009.0A CN109194696B (en) | 2018-11-01 | 2018-11-01 | Data interface anti-diffusion method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811293009.0A CN109194696B (en) | 2018-11-01 | 2018-11-01 | Data interface anti-diffusion method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109194696A true CN109194696A (en) | 2019-01-11 |
| CN109194696B CN109194696B (en) | 2021-09-21 |
Family
ID=64941164
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811293009.0A Active CN109194696B (en) | 2018-11-01 | 2018-11-01 | Data interface anti-diffusion method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109194696B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101686126A (en) * | 2008-09-24 | 2010-03-31 | 北京创原天地科技有限公司 | Method for certification of set of novel dynamic passwords and autonymous network accessing |
| CN102546580A (en) * | 2011-01-04 | 2012-07-04 | ***通信有限公司 | Method, system and device for updating user password |
| CN103942485A (en) * | 2014-04-28 | 2014-07-23 | 深圳市杰瑞特科技有限公司 | Encryptor of mobile intelligent terminal and encryption method thereof |
| CN104243158A (en) * | 2013-06-13 | 2014-12-24 | 松下电器产业株式会社 | Authentication method, communication system, device and server |
| CN104954350A (en) * | 2014-03-31 | 2015-09-30 | 腾讯科技(深圳)有限公司 | Account information protection method and system thereof |
-
2018
- 2018-11-01 CN CN201811293009.0A patent/CN109194696B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101686126A (en) * | 2008-09-24 | 2010-03-31 | 北京创原天地科技有限公司 | Method for certification of set of novel dynamic passwords and autonymous network accessing |
| CN102546580A (en) * | 2011-01-04 | 2012-07-04 | ***通信有限公司 | Method, system and device for updating user password |
| CN104243158A (en) * | 2013-06-13 | 2014-12-24 | 松下电器产业株式会社 | Authentication method, communication system, device and server |
| CN104954350A (en) * | 2014-03-31 | 2015-09-30 | 腾讯科技(深圳)有限公司 | Account information protection method and system thereof |
| CN103942485A (en) * | 2014-04-28 | 2014-07-23 | 深圳市杰瑞特科技有限公司 | Encryptor of mobile intelligent terminal and encryption method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109194696B (en) | 2021-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109729168A (en) | A kind of data share exchange system and method based on block chain | |
| CN105103488B (en) | By the policy Enforcement of associated data | |
| US7316027B2 (en) | Techniques for dynamically establishing and managing trust relationships | |
| US8332922B2 (en) | Transferable restricted security tokens | |
| CN113297625B (en) | Data sharing system and method based on block chain and electronic equipment | |
| CN106127064B (en) | Date storage method for enterprise supply chain | |
| CN102947797A (en) | Online service access controls using scale out directory features | |
| CN103220141B (en) | A kind of protecting sensitive data method and system based on group key strategy | |
| CN108418784A (en) | A kind of distributed cross-domain authorization and access control method based on properties secret | |
| CN102474415A (en) | Configurable online public key infrastructure (PKI) management framework | |
| CN103535007B (en) | The administrative authentication of distributed network | |
| CN102012989A (en) | Threshold and key-based authorization method in software as a service (SaaS) | |
| US9043456B2 (en) | Identity data management system for high volume production of product-specific identity data | |
| CN109728903A (en) | A kind of block chain weak center password authorization method using properties secret | |
| CN107302524A (en) | A kind of ciphertext data-sharing systems under cloud computing environment | |
| US8156546B2 (en) | System and method for flying squad re authentication of enterprise users | |
| EP3817320B1 (en) | Blockchain-based system for issuing and validating certificates | |
| Daraghmi et al. | A Blockchain‐Based Editorial Management System | |
| CN106685994A (en) | Cloud GIS (Geographic Information System) resource access control method based on GIS role grade permission | |
| US20230164130A1 (en) | User authentication system | |
| US20230367776A1 (en) | Distributed metadata definition and storage in a database system for public trust ledger smart contracts | |
| CN109194696A (en) | A kind of data-interface non-proliferation method | |
| Yousefnezhad et al. | Authentication and access control for open messaging interface standard | |
| Majumder et al. | Trust relationship establishment among multiple cloud service provider | |
| US20230396445A1 (en) | Multi-signature wallets in public trust ledger actions via a database system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 353000 South District School of materials, Fujian Institute of engineering, No. 3 Xueyuan Road, new area, University City, Fuzhou, Fujian Patentee after: Fujian University of Science and Technology Address before: 353000 South District School of materials, Fujian Institute of engineering, No. 3 Xueyuan Road, new area, University City, Fuzhou, Fujian Patentee before: FUJIAN University OF TECHNOLOGY |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240104 Address after: 7th Floor, No.1 Pilot Production Building, No. 9 Gaoxin Avenue, Shangjie Town, Minhou County, Fuzhou City, Fujian Province, 350100 Patentee after: Fujian star net Tianhe Intelligent Technology Co.,Ltd. Address before: 353000 South District School of materials, Fujian Institute of engineering, No. 3 Xueyuan Road, new area, University City, Fuzhou, Fujian Patentee before: Fujian University of Science and Technology |
|
| TR01 | Transfer of patent right |