[go: up one dir, main page]

CN112637360A - System, method, device, processor and storage medium for realizing secure communication between mobile terminal and web - Google Patents

System, method, device, processor and storage medium for realizing secure communication between mobile terminal and web Download PDF

Info

Publication number
CN112637360A
CN112637360A CN202011605681.6A CN202011605681A CN112637360A CN 112637360 A CN112637360 A CN 112637360A CN 202011605681 A CN202011605681 A CN 202011605681A CN 112637360 A CN112637360 A CN 112637360A
Authority
CN
China
Prior art keywords
mobile terminal
web
data
module
secure communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011605681.6A
Other languages
Chinese (zh)
Other versions
CN112637360B (en
Inventor
俞枫
黄韦
李威
陶惠勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guotai Haitong Securities Co Ltd
Original Assignee
Guotai Junan Securities Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guotai Junan Securities Co Ltd filed Critical Guotai Junan Securities Co Ltd
Priority to CN202011605681.6A priority Critical patent/CN112637360B/en
Publication of CN112637360A publication Critical patent/CN112637360A/en
Application granted granted Critical
Publication of CN112637360B publication Critical patent/CN112637360B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2151Time stamp

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本发明涉及一种实现移动端与web之间进行安全通信的系统,包括权限管理模块,用于更新应用内授信的域名和相应的API方法,生成有时间戳和版本号的权限配置文件,供移动端根据版本及时间戳更新配置文件;加密编码模块用于对移动端与web端间传输的数据进行对称、非对称加密、编码和随机串处理;数据交互模块用于构建在移动端与web端间通信的数据结构,生成信息为字符串的形式。本发明还涉及一种实现移动端与web之间进行安全通信的控制方法、装置、处理器及其计算机可读存储介质。采用了本发明的实现移动端与web之间进行安全通信的系统、方法、装置、处理器及其计算机可读存储介质,使数据传递过程具有高安全性,具有高扩展性,能保证移动端高并发时段的使用。整个通信机制的使用,使移动应用内跨平台web的应用场景得到扩充,保障了用户敏感信息的安全。

Figure 202011605681

The invention relates to a system for realizing secure communication between a mobile terminal and a web, including a rights management module, which is used to update a domain name and a corresponding API method for in-app credit authorization, and generate a rights configuration file with a timestamp and a version number for The mobile terminal updates the configuration file according to the version and timestamp; the encryption and encoding module is used to perform symmetric, asymmetric encryption, encoding and random string processing on the data transmitted between the mobile terminal and the web terminal; the data interaction module is used to construct the mobile terminal and the web terminal. A data structure for communication between terminals, generating information in the form of strings. The present invention also relates to a control method, device, processor and computer-readable storage medium for realizing secure communication between the mobile terminal and the web. By adopting the system, method, device, processor and computer-readable storage medium for realizing secure communication between the mobile terminal and the web of the present invention, the data transmission process has high security and high scalability, and can ensure the mobile terminal The use of high concurrency periods. The use of the entire communication mechanism expands the application scenarios of the cross-platform web within the mobile application and ensures the security of user sensitive information.

Figure 202011605681

Description

System, method, device, processor and storage medium for realizing secure communication between mobile terminal and web
Technical Field
The invention relates to the technical field of computer application, in particular to the field of web secure communication, and specifically relates to a system, a method, a device, a processor and a computer readable storage medium for realizing secure communication between a mobile terminal and a web.
Background
The mobile terminal and the WEB secure communication mechanism solve the security problem of data interaction between the mobile terminal and the embedded WEB page. The development of the mobile terminal is accompanied with the popularization of the intelligent terminal equipment, the development of the function is mainly based on the native coding language of the mobile terminal, the good interactive experience of the application is realized, and the defects of untimely updating, high development cost, difficulty in quick online business and the like are overcome. The embedded web page is a solution for solving the problem of mixed development with mobile application and improving development efficiency, but the web needs security reinforcement in the interaction process of a mobile terminal due to the weak security of the web.
Common encryption mechanisms are symmetric encryption: AES, DES, etc., asymmetric encryption: RSA, EI Gamma, ECC and the like, the specific efficiency of symmetric encryption is high, the encryption mode is simple and the like, the specific private key and the public key of asymmetric encryption have high encryption safety and relatively high performance requirements, and the method is widely applied to scenes such as digital signatures and the like to verify the falsification prevention of data.
The coding mechanism is as follows: in the process of transmitting data in a web page and sending a network request, because characters contained in the used character set codes are not consistent, in order to solve the problem that the characters are treated as error characters or are cut off in the data transmission process, coding processing such as URL coding is needed, the character set adopts UTF-8, and characters including Chinese characters and the like can be processed compatibly.
Domain name address and API security: the domain name address represents a network address by a host (host), a sub domain (sub domain) and a domain (domain), and a corresponding web page providing a web service can be located, thereby distinguishing different web services. The mobile terminal API can be provided for web calling as a response method, the web calling can be intercepted originally, and the corresponding method addressing is realized according to the analyzed method name.
Data interaction: the mobile terminal can transmit the encapsulated data to the web terminal by calling the method defined by the web terminal through the js engine, and the web terminal transmits the information to the original method after being intercepted by the js engine.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a system, a method, a device, a processor and a computer readable storage medium thereof for realizing the secure communication between a mobile terminal and a web, which have the advantages of high safety, high expansibility and wider application range.
In order to achieve the above object, the system, method, apparatus, processor and computer readable storage medium for secure communication between a mobile terminal and a web according to the present invention are as follows:
the system for realizing the safe communication between the mobile terminal and the web is mainly characterized by comprising the following steps:
the authority management module is used for updating the domain name granted in the application and a corresponding API method, generating an authority configuration file with a time stamp and a version number, uploading the generated configuration file to the CDN server, and enabling the mobile terminal to update the configuration file according to the version and the time stamp;
the encryption and coding module is connected with the authority management module and is used for carrying out symmetric and asymmetric encryption, coding and random string processing on data transmitted between the mobile terminal and the web terminal;
and the data interaction module is connected with the encryption coding module and used for constructing a data structure for communication between the mobile terminal and the web terminal and generating information in a character string form.
Preferably, the system further comprises a user information module, connected to the right management module, the encryption coding module and the data interaction module, for storing user uniform login information, for server identity authentication, and providing user account information in web communication.
Preferably, the configuration file of the rights management module includes a domain name, a path, and an API method name.
Preferably, the encryption and coding module symmetrically encrypts data, calculates an MD5 value for the encrypted data, verifies whether the data is tampered, performs random string and coding processing on the data to generate encrypted service data, generates a data item from the MD5 value through asymmetric encryption, loads the data item and the service data into corresponding json data, and transmits the json data to the data interaction module.
Preferably, the data interaction module is divided into two parts which are respectively arranged in the mobile terminal and the web terminal, wherein the part in the mobile terminal is used for calling the web terminal through a js engine and interacting with the part of the web terminal in an asynchronous calling mode; and the part in the web end realizes the analysis of the data and judges error codes, analyzes the service data according to the opposite direction of encryption, and returns the service data to the called service codes.
Preferably, the data structure of the data interaction module comprises an error code, error information, return data and a call number.
The control method for realizing the safe communication between the mobile terminal and the web by using the system is mainly characterized by comprising the following steps:
(1) the authority management server requests to manage the configuration file, encrypts and returns a configuration generation file when the mobile terminal requests, and the mobile terminal stores the received information and decrypts the received information and places the received information in the memory;
(2) accessing a web service;
(3) the authority management module checks the opened domain name, judges whether the domain name is a credible domain name range by matching a domain name address and a path address in the authority configuration file, and allows the web container to request the domain name if the domain name is the credible domain name range; otherwise, not carrying out loading display;
(4) the mobile terminal initiates a request to the web terminal to request to access a legal webpage, and loading and rendering are carried out through the web container;
(5) calling the API of the mobile terminal, judging whether to provide the API service authority, and if so, continuing the step (6); otherwise, returning a no-permission error code;
(6) sending the data to a user information module, splicing a public packet header, service parameters and a function number for a service request, initiating an https request of a service server, and analyzing and processing the data returned by the service request;
(7) returning the data after the mobile end API response to the encryption coding module, performing symmetric encryption, asymmetric encryption, coding processing and random string confusion on the data, assembling the encrypted data items into a json format and transmitting the json format to the data interaction module;
(8) and the mobile terminal assembles data, encodes the data into a character string and returns the data to the web terminal by a packaged method.
Preferably, the step (5) specifically comprises the following steps:
(5.1) calling the API of the mobile terminal;
(5.2) the authority management module judges whether the API method list under the domain name can provide the API service authority, if so, corresponding processing is carried out, and data return is waited; otherwise, returning the no-permission error code, and constructing a corresponding data structure by the data interaction module and returning the corresponding data structure to the web end.
The device for realizing the safe communication control between the mobile terminal and the web is mainly characterized by comprising the following components:
a processor configured to execute computer-executable instructions;
and the memory stores one or more computer-executable instructions, and when the computer-executable instructions are executed by the processor, the steps of the control method for realizing the secure communication between the mobile terminal and the web are realized.
The processor for realizing the control of the secure communication between the mobile terminal and the web is mainly characterized in that the processor is configured to execute computer-executable instructions, and when the computer-executable instructions are executed by the processor, the steps of the control method for realizing the secure communication between the mobile terminal and the web are realized.
The computer readable storage medium is mainly characterized in that a computer program is stored thereon, and the computer program can be executed by a processor to realize the steps of the control method for realizing the secure communication between the mobile terminal and the web.
The system, the method, the device, the processor and the computer readable storage medium for realizing the secure communication between the mobile terminal and the web ensure high security in the data transmission process. The encryption scheme can ensure the efficiency of data communication and improve the safety, the mobile terminal stores the private key and the symmetric key, is credible and encrypts and encapsulates the private key and the symmetric key into an integral data packet to be transmitted after the service data is obtained. And the introduction of the permission configuration file also ensures that the communication with the web is more reliable, and the permission file is paged in a CDN mode, has high expansibility and can ensure the use of a mobile terminal in a high concurrency period. The use of the whole communication mechanism expands the application scene of cross-platform web in the mobile application, and ensures the safety of the sensitive information of the user.
Drawings
Fig. 1 is an overall framework diagram of a system for implementing secure communication between a mobile terminal and a web according to the present invention.
Fig. 2 is an overall interaction timing diagram of the control method for implementing secure communication between the mobile terminal and the web according to the present invention.
Fig. 3 is a deployment plan diagram of an embodiment of the control method for implementing secure communication between the mobile terminal and the web according to the present invention.
Detailed Description
In order to more clearly describe the technical contents of the present invention, the following further description is given in conjunction with specific embodiments.
The system for realizing the safe communication between the mobile terminal and the web comprises the following components:
the authority management module is used for updating the domain name granted in the application and a corresponding API method, generating an authority configuration file with a time stamp and a version number, uploading the generated configuration file to the CDN server, and enabling the mobile terminal to update the configuration file according to the version and the time stamp;
the encryption and coding module is connected with the authority management module and is used for carrying out symmetric and asymmetric encryption, coding and random string processing on data transmitted between the mobile terminal and the web terminal;
and the data interaction module is connected with the encryption coding module and used for constructing a data structure for communication between the mobile terminal and the web terminal and generating information in a character string form.
As a preferred embodiment of the present invention, the system further includes a user information module, connected to the right management module, the encryption coding module and the data interaction module, for storing user uniform login information, for server identity authentication, and providing user account information in web communication.
As a preferred embodiment of the present invention, the configuration file of the rights management module includes a domain name, a path, and an API method name.
As a preferred embodiment of the present invention, the encryption and encoding module symmetrically encrypts data, calculates an MD5 value for the encrypted data, verifies whether the data is tampered, performs random string and encoding processing on the data to generate encrypted service data, generates a data item from the MD5 value by asymmetric encryption, loads the data item and the service data into corresponding json data, and transmits the data item and the json data to the data interaction module.
As a preferred embodiment of the present invention, the data interaction module is divided into two parts, which are respectively disposed in the mobile terminal and the web terminal, wherein the part in the mobile terminal is used for calling the web terminal through a js engine, and interacting with the part of the web terminal through an asynchronous calling mode; and the part in the web end realizes the analysis of the data and judges error codes, analyzes the service data according to the opposite direction of encryption, and returns the service data to the called service codes.
As a preferred embodiment of the invention, the data structure of the data interaction module comprises an error code, error information, return data and a calling number.
The control method for realizing the safe communication between the mobile terminal and the web by utilizing the system comprises the following steps:
(1) the authority management server requests to manage the configuration file, encrypts and returns a configuration generation file when the mobile terminal requests, and the mobile terminal stores the received information and decrypts the received information and places the received information in the memory;
(2) accessing a web service;
(3) the authority management module checks the opened domain name, judges whether the domain name is a credible domain name range by matching a domain name address and a path address in the authority configuration file, and allows the web container to request the domain name if the domain name is the credible domain name range; otherwise, not carrying out loading display;
(4) the mobile terminal initiates a request to the web terminal to request to access a legal webpage, and loading and rendering are carried out through the web container;
(5) calling the API of the mobile terminal, judging whether to provide the API service authority, and if so, continuing the step (6); otherwise, returning a no-permission error code;
(5.1) calling the API of the mobile terminal;
(5.2) the authority management module judges whether the API method list under the domain name can provide the API service authority, if so, corresponding processing is carried out, and data return is waited; otherwise, returning a no-permission error code, and constructing a corresponding data structure by the data interaction module and returning the data structure to the web end;
(6) sending the data to a user information module, splicing a public packet header, service parameters and a function number for a service request, initiating an https request of a service server, and analyzing and processing the data returned by the service request;
(7) returning the data after the mobile end API response to the encryption coding module, performing symmetric encryption, asymmetric encryption, coding processing and random string confusion on the data, assembling the encrypted data items into a json format and transmitting the json format to the data interaction module;
(8) and the mobile terminal assembles data, encodes the data into a character string and returns the data to the web terminal by a packaged method.
As a preferred embodiment of the present invention, the apparatus for implementing secure communication control between a mobile terminal and a web includes:
a processor configured to execute computer-executable instructions;
and the memory stores one or more computer-executable instructions, and when the computer-executable instructions are executed by the processor, the steps of the control method for realizing the secure communication between the mobile terminal and the web are realized.
As a preferred embodiment of the present invention, the processor for implementing the control of the secure communication between the mobile terminal and the web is configured to execute computer-executable instructions, and when the computer-executable instructions are executed by the processor, the steps of the control method for implementing the secure communication between the mobile terminal and the web are implemented.
As a preferred embodiment of the present invention, the computer readable storage medium has a computer program stored thereon, and the computer program is executable by a processor to implement the steps of the above-mentioned control method for implementing secure communication between the mobile terminal and the web.
The invention relates to a new mobile terminal and web secure communication mechanism, which realizes the admission of web service by acquiring configuration information and simultaneously carries out authority verification on a web calling native API method.
Referring to fig. 1, the mobile terminal and web secure communication mechanism according to the present invention includes a data interaction module, an encryption coding module, a user information module, a rights management module, and a rights configuration service.
The authority management module has the functions of providing an operation and maintenance configuration person to enter and modify a domain name address capable of being trusted and call an API (application programming interface) method, generating an authority configuration file with a timestamp and version information according to the information, pushing the generated configuration file to a CDN (content delivery network) server, and enabling a mobile terminal to update the configuration file in time according to the version and the timestamp.
The role of the encryption and coding module is to encrypt and code the data returned to the web side. When the web terminal calls an API method provided by the mobile terminal and returns response data, the data enters an encryption coding module, the module symmetrically encrypts the data, calculates an MD5 value for verifying whether the data is tampered, performs random string and coding processing on the data to generate final encrypted service data, and generates a data item by using asymmetric encryption for the MD5 value, and the data item and the service data are loaded into corresponding json data. And transmitting to the data interaction module.
The data interaction module is responsible for constructing a data structure for communication between the mobile terminal and the web terminal, wherein the data structure comprises an error code, error information, return data, a calling number and the like, and finally a character string form is generated. And a data interaction method for calling the web end through a js engine is packaged in the mobile end, and the mobile end interacts with the web end through an asynchronous calling mode. And the web terminal analyzes the data and judges error codes, and analyzes the service data in the opposite direction of encryption and returns the service data to the called service codes. The web end is also packaged with the realization of calling the mobile end method for calling the service code.
The user information module is responsible for maintaining relevant information of user login and storing the information in a mobile terminal memory, wherein the information comprises sensitive information such as a mobile phone number, an equipment number, a token after login, a user account and the like. And the API is provided for the outside to be called to the web end, so that the corresponding user information can be obtained to carry out service processing.
The mobile terminal and web secure communication mechanism provided by the invention comprises a permission management module, a user information module, a service https construction request, an encryption coding module and a data interaction module.
The authority management module is responsible for dynamically issuing an authorized website and an API (application program interface) which can be called configured by operation and maintenance personnel to each mobile terminal, the user information module is used for uniformly managing account information stored in the mobile terminal, the account information comprises a token, a mobile phone number and a user account number when logging in but not logging in, uniform user information request parameters are provided for constructing a service https request, sensitive information is prevented from being directly stored in a web terminal, the mobile terminal is used for constructing the request and carrying out network communication with a service server, and data are obtained. The encryption coding module is used for carrying out symmetric and asymmetric encryption, coding and random string processing on data transmitted between the mobile terminal and the web terminal, so that high-level security is achieved, and sensitive information is prevented from being intercepted and debugged by a webpage. And the data interaction module is used for realizing a JSbridge framework at both the mobile terminal and the web terminal, assembling or disassembling the JSbridge framework into corresponding data formats according to the appointed format and carrying out data interaction.
And the authority management module is used for carrying out operation and maintenance through a management end, updating the domain name granted in the application and a corresponding API method, and uploading the generated configuration file to the CDN server for downloading and using the mobile application. The configuration file has corresponding version number verification characters, and the mobile terminal carries out decompression, verification and storage after downloading.
And the authority management module can provide an operation and maintenance configuration personnel to enter and modify a trusted domain name address and call an API (application programming interface) method, generate an authority configuration file with a time stamp and a version number, the configuration file comprises several levels of domain names, a path and an API method name, the generated configuration file is pushed to the CDN server, and a mobile terminal can update the configuration file in time according to the version and the time stamp.
And the authority management module is responsible for storing a configuration table issued by the authority service and analyzing and storing the configuration table in the memory data. And updating the authority file in time according to the version number. The rights file is parsed into json data describing the authorized domain addresses domain, path, and API methods accessible to the domain names. The configuration file adopts asymmetric encryption.
The authority management module is uniformly issued through the authority configuration service, can control the domain name white list allowed to be accessed, simultaneously controls the mobile terminal API allowed to be called by each domain name, has very accurate control granularity, can update configuration, and modifies the effective configuration file through an operation and maintenance means. The service web with the authority can open and display the webpage content in the mobile terminal container, and can call a related API method with the authority to acquire the data of the mobile terminal. The effect of safely displaying the page is achieved, the related API method cannot be opened or called by an unauthorized page, the untrusted and illegal three-party address cannot be opened in the APP, and the problems that the unauthorized page is illegally hijacked by the domain name of the intermediate link in a complex mobile network and the like are avoided. In the web page authorized to be opened, request data is interacted with the mobile terminal and passes through the encryption coding module and the user information module.
The user information module needs to return user information such as user ID, account, mobile phone number, Token and the like which are uniformly stored by the mobile terminal in the web request method, and in the process of the request needing to be spliced, corresponding account information is taken out according to appointed strings to construct a complete https request, a network request is initiated by the service server, and the https request and the network request enter the encryption coding module together after data are returned.
And the user information module is used for storing sensitive information such as login information token, user name, mobile phone number and the like of a user in the internal memory space of the mobile terminal, and acquiring corresponding user information or assembling a public information packet header for the https request module to use according to a corresponding API or key value in the web communication.
And the user information module stores the user unified login information stored by the mobile terminal and is used for server identity authentication and the like. And simultaneously, providing encrypted or star processed user account information for web display or transmission.
And constructing a service https request, in some service requests requiring splicing of sensitive data by the mobile terminal, transmitting corresponding key values to a request module by the web terminal, assembling a request packet header by the request module according to rules, and performing request communication with a service server.
And the encryption coding module is used for carrying out MD5 on the encrypted data and carrying out UTF-8 character set coding and random string confusion operation on the encrypted data by symmetrically encrypting the original data, then carrying out asymmetric encryption on an MD5 value, packaging the two final data, respectively assigning different fields to form a json data item, and transmitting the json data item to the data interaction module.
The encryption and coding module is used for removing random strings from the data received by the mobile terminal, then carrying out symmetric and asymmetric decryption, and after decoding, converting the data into json data for processing; and coding the data processed by the mobile end API, then carrying out symmetric and asymmetric encryption, adding a random string, and transmitting the finally finished data to a data interaction module for packaging.
The encryption coding module symmetrically encrypts original data by adopting a symmetrical and asymmetrical mixed encryption mode, improves the efficiency, and asymmetrically encrypts the MD5 value of the encrypted data, so that the efficiency is integrally improved, and the data tamper resistance is also ensured.
And the encryption coding module performs uniform symmetric and asymmetric encryption, coding processing and random string confusion on the returned data after the mobile end API method is responded, so that the safety and the non-tamper property in the data transmission process are achieved. And then packaging the data into a complete data return packet, and transmitting the data return packet back to the web end to achieve the aim of safe interaction between the mobile end and the web.
And the data interaction module is used for assembling the finally encrypted data of the mobile terminal into a final data item again and transmitting the data with the web terminal through the js engine. And after receiving the data, the web side verifies the legality of the data according to the opposite direction of the assembly and analyzes and processes the data, so that the safe communication with the mobile side is realized.
And the data interaction module is used for packaging according to an agreed data format, transmitting information including API response success status codes, returned result sets and error information, and then processing the information into binary data to call a well-defined data receiving js method in the web container to finish data transmission. After the web receives the data, the data packet is analyzed in a reverse mode, and the state code is judged to carry out corresponding processing logic.
As shown in fig. 2, which is a sequence diagram of the interaction between the mobile terminal and the web secure communication, the control method for implementing the secure communication between the mobile terminal and the web based on the above system of the present invention includes the following steps:
1. the configuration server stores a trusted domain name list input by operation and maintenance personnel, is a web page which can be opened in the mobile terminal, and is provided with a corresponding API method which can be called. The file generated by the configuration service is encrypted and returned when requested by the mobile terminal, and the mobile terminal stores the received information in local and decrypts the information and places the information in a memory for use.
2. The user opens a web service in the mobile application and selects the web service to be browsed.
3. In the process that a user opens the web service, the authority verification module checks the opened domain name, judges whether the domain name is found in the credible domain name range in the authority configuration file, and allows the web container to request the domain name if the domain name is matched and hit in the information. If the address is illegal, the loading display is not carried out. And judging the domain name to be matched with the domain name address and the path address, wherein the domain name is a white list under the condition of containing.
4. After the permission judgment is passed, the mobile terminal initiates a request to the web service, opens a corresponding web service website, and performs loading rendering by using a web container.
5. When the rendered web address calls the mobile terminal API method in the js processing process, the permission verification module needs to check an API method list which can be called under the domain name in the configuration service, and judge whether the data service can be provided for the web address. And the method list compares whether the API contains the corresponding API authority, if so, the API is forwarded to the corresponding method to process the waiting data to be returned, if not, the method returns an authority-free error code, and the method is forwarded to the data interaction module to construct a corresponding data structure and returns the data structure to the web side.
6. When the called method needs user information to make a service request, the data is sent to a user information module, a public packet header, service parameters and a function number for the service request are spliced, an https request of a service server is initiated, and the data returned by the service request is analyzed and processed.
7. And returning the data after the mobile end API responds to the encryption coding module, carrying out symmetric and asymmetric encryption, coding processing and random string confusion on the data, and assembling the encrypted data items into a json format to be transmitted to the data interaction module.
8. The mobile terminal assembles the data to construct an agreed data format, wherein the agreed data format comprises error information and response numbers, the error information and the response numbers are encoded into character strings again, and the data are returned to the web terminal by a packaged method.
Fig. 3 shows an example of a mobile-end and web-end deployment scenario. The authority configuration server is deployed for internal purchase, provides a management platform for operation and maintenance people to enter, and generates configuration information for the mobile terminal to use by adopting CDN service. The user information module, the encoding and decoding module, the authority management module and the web container in the mobile terminal are deployed in a decoupling mode, and the corresponding calling adopts display data transmission to avoid blocking. The web container is saved by adopting the container pool, so that the process time of the initial container can be saved. The data interaction module may then serve each web container. The service server is deployed in a cluster form and is expanded according to the number of the web services. The web service is deployed in a cluster mode, and static resources are cached in the CDN server.
For a specific implementation of this embodiment, reference may be made to the relevant description in the above embodiments, which is not described herein again.
It is understood that the same or similar parts in the above embodiments may be mutually referred to, and the same or similar parts in other embodiments may be referred to for the content which is not described in detail in some embodiments.
It should be noted that the terms "first," "second," and the like in the description of the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Further, in the description of the present invention, the meaning of "a plurality" means at least two unless otherwise specified.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by suitable instruction execution devices. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware that is related to instructions of a program, and the program may be stored in a computer-readable storage medium, and when executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The system, the method, the device, the processor and the computer readable storage medium for realizing the secure communication between the mobile terminal and the web ensure high security in the data transmission process. The encryption scheme can ensure the efficiency of data communication and improve the safety, the mobile terminal stores the private key and the symmetric key, is credible and encrypts and encapsulates the private key and the symmetric key into an integral data packet to be transmitted after the service data is obtained. And the introduction of the permission configuration file also ensures that the communication with the web is more reliable, and the permission file is paged in a CDN mode, has high expansibility and can ensure the use of a mobile terminal in a high concurrency period. The use of the whole communication mechanism expands the application scene of cross-platform web in the mobile application, and ensures the safety of the sensitive information of the user.
In this specification, the invention has been described with reference to specific embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.

Claims (11)

1.一种实现移动端与web之间进行安全通信的系统,其特征在于,所述的系统包括:1. a system for realizing secure communication between mobile terminal and web, is characterized in that, described system comprises: 权限管理模块,用于更新应用内授信的域名和相应的API方法,生成有时间戳和版本号的权限配置文件,将生成的配置文件上传至CDN服务器,供移动端根据版本及时间戳更新配置文件;The rights management module is used to update the domain name and the corresponding API method for in-app credit, generate a rights configuration file with timestamp and version number, and upload the generated configuration file to the CDN server for the mobile terminal to update the configuration according to the version and timestamp document; 加密编码模块,与所述的权限管理模块相连接,用于对移动端与web端间传输的数据进行对称、非对称加密、编码和随机串处理;an encryption coding module, connected with the rights management module, for performing symmetrical and asymmetric encryption, encoding and random string processing on the data transmitted between the mobile terminal and the web terminal; 数据交互模块,与所述的加密编码模块相连接,用于构建在移动端与web端间通信的数据结构,生成信息为字符串的形式。The data interaction module is connected with the encryption coding module, and is used for constructing a data structure for communication between the mobile terminal and the web terminal, and the generated information is in the form of a string. 2.根据权利要求1所述的实现移动端与web之间进行安全通信的系统,其特征在于,所述的系统还包括用户信息模块,与所述的权限管理模块、加密编码模块和数据交互模块相连接,用于存储用户统一登录信息,用于服务器身份认证,并在web通讯中提供用户账户信息。2. the system that realizes safe communication between mobile terminal and web according to claim 1, is characterized in that, described system also comprises user information module, interacts with described authority management module, encryption coding module and data The modules are connected to store user unified login information, used for server authentication, and provide user account information in web communication. 3.根据权利要求1所述的实现移动端与web之间进行安全通信的系统,其特征在于,所述的权限管理模块的配置文件包括域名、path和API方法名。3. The system for realizing secure communication between the mobile terminal and the web according to claim 1, wherein the configuration file of the rights management module includes a domain name, a path and an API method name. 4.根据权利要求1所述的实现移动端与web之间进行安全通信的系统,其特征在于,所述的加密编码模块对数据进行对称加密,对加密后的数据计算MD5值,验证数据是否被篡改,并对数据进行随机串和编码处理,生成加密后业务数据,通过非对称加密将MD5值生成数据项,与业务数据装入对应的json数据中,传输至数据交互模块。4. the system of carrying out secure communication between the realization mobile terminal and the web according to claim 1, is characterized in that, described encryption coding module carries out symmetrical encryption to data, calculates MD5 value to encrypted data, verifies whether data is After being tampered with, the data is subjected to random string and encoding processing to generate encrypted business data, and the MD5 value is generated through asymmetric encryption to generate data items, which are loaded into the corresponding json data with the business data, and transmitted to the data interaction module. 5.根据权利要求1所述的实现移动端与web之间进行安全通信的系统,其特征在于,所述的数据交互模块分为两部分,分别置于移动端和web端中,移动端中的部分用于通过js引擎调用web端,通过异步调用的方式与web端的部分进行交互;web端中的部分实现数据的解析并判断错误代码,按加密的相反方向解析业务数据,并返回至调用的业务代码中。5. The system for realizing secure communication between a mobile terminal and the web according to claim 1, wherein the data interaction module is divided into two parts, which are respectively placed in the mobile terminal and the web terminal, and in the mobile terminal The part is used to call the web side through the js engine, and interact with the part of the web side through asynchronous calls; the part in the web side implements data parsing and judges the error code, parses the business data in the opposite direction of encryption, and returns to the calling in the business code. 6.根据权利要求1所述的实现移动端与web之间进行安全通信的系统,其特征在于,所述的数据交互模块的数据结构包括错误代码,错误信息,返回数据和调用号。6. The system for realizing secure communication between the mobile terminal and the web according to claim 1, wherein the data structure of the data interaction module includes an error code, an error message, return data and a call number. 7.一种基于权利要求1所述的系统实现移动端与web之间进行安全通信的控制方法,其特征在于,所述的方法包括以下步骤:7. A control method based on the system implementation of claim 1 to carry out safe communication between mobile terminal and web, it is characterized in that, described method comprises the following steps: (1)权限管理服务器请求管理配置文件,并在移动端请求时加密返回配置生成文件,移动端存储接收信息,并解密放置在内存中;(1) The rights management server requests the management configuration file, and encrypts and returns the configuration generation file when the mobile terminal requests, and the mobile terminal stores the received information, and decrypts it and places it in the memory; (2)访问web服务;(2) Access web services; (3)权限管理模块对打开的域名进行检查,通过在权限配置文件中匹配域名地址和path地址判断是否为可信的域名范围,如果是,则允许web容器请求该域名;否则,不进行加载显示;(3) The authority management module checks the opened domain name, and judges whether it is a trusted domain name range by matching the domain name address and path address in the authority configuration file. If so, the web container is allowed to request the domain name; otherwise, it is not loaded. show; (4)移动端向web端发起请求,请求访问合法网页,通过web容器进行加载渲染;(4) The mobile terminal initiates a request to the web terminal to request access to a legal webpage, and loads and renders through the web container; (5)调用移动端的API,判断是否提供API服务权限,如果是,则继续步骤(6);否则,返回无权限错误码;(5) Call the API of the mobile terminal to determine whether to provide the API service authority, if so, continue to step (6); otherwise, return the no-authority error code; (6)将数据送入用户信息模块,拼接用于业务请求的公共包头及业务参数和功能号,发起业务服务器的https请求,并解析处理业务请求返回后的数据;(6) sending the data into the user information module, splicing the public headers, service parameters and function numbers used for the service request, initiating the https request of the service server, and analyzing and processing the data returned by the service request; (7)将移动端API响应后的数据返回至加密编码模块,进行数据的对称加密、非对称加密、编码处理及随机串混淆,将加密后的数据项组装成json格式传递至数据交互模块;(7) Return the data after the mobile terminal API response to the encryption encoding module, perform symmetric encryption, asymmetric encryption, encoding processing and random string confusion of the data, and assemble the encrypted data items into a json format and transmit it to the data interaction module; (8)移动端组装数据,编码成字符串通过封装好的方法将数据返回至web端。(8) The mobile terminal assembles the data, encodes it into a string, and returns the data to the web terminal through the encapsulated method. 8.根据权利要求7所述的实现移动端与web之间进行安全通信的控制方法,其特征在于,所述的步骤(5)具体包括以下步骤:8. The control method for realizing secure communication between the mobile terminal and the web according to claim 7, wherein the step (5) specifically comprises the following steps: (5.1)调用移动端的API;(5.1) Call the API of the mobile terminal; (5.2)权限管理模块判断该域名下的API方法列表是否可以提供API服务权限,如果是,则进行相应处理,等待数据返回;否则,返回无权限错误码,数据交互模块构建相应数据结构返回至web端。(5.2) The authority management module judges whether the API method list under the domain name can provide API service authority, and if so, it will perform the corresponding processing and wait for the data to return; web side. 9.一种用于实现移动端与web之间进行安全通信控制的装置,其特征在于,所述的装置包括:9. A device for implementing secure communication control between a mobile terminal and a web, wherein the device comprises: 处理器,被配置成执行计算机可执行指令;a processor configured to execute computer-executable instructions; 存储器,存储一个或多个计算机可执行指令,所述的计算机可执行指令被所述的处理器执行时,实现权利要求7或8所述的实现移动端与web之间进行安全通信的控制方法的步骤。The memory stores one or more computer-executable instructions, and when the computer-executable instructions are executed by the processor, the control method for realizing secure communication between the mobile terminal and the web according to claim 7 or 8 is realized A step of. 10.一种用于实现移动端与web之间进行安全通信控制的处理器,其特征在于,所述的处理器被配置成执行计算机可执行指令,所述的计算机可执行指令被所述的处理器执行时,实现权利要求7或8所述的实现移动端与web之间进行安全通信的控制方法的步骤。10. A processor for implementing secure communication control between a mobile terminal and a web, wherein the processor is configured to execute computer-executable instructions, and the computer-executable instructions are executed by the When executed by the processor, the steps of the control method for realizing secure communication between the mobile terminal and the web according to claim 7 or 8 are implemented. 11.一种计算机可读存储介质,其特征在于,其上存储有计算机程序,所述的计算机程序可被处理器执行以实现权利要求7或8所述的实现移动端与web之间进行安全通信的控制方法的各个步骤。11. A computer-readable storage medium, characterized in that a computer program is stored thereon, and the computer program can be executed by a processor to realize the security between the mobile terminal and the web according to claim 7 or 8 The various steps of the communication control method.
CN202011605681.6A 2020-12-29 2020-12-29 System, method, device, processor and storage medium for realizing secure communication between mobile terminal and web Active CN112637360B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011605681.6A CN112637360B (en) 2020-12-29 2020-12-29 System, method, device, processor and storage medium for realizing secure communication between mobile terminal and web

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011605681.6A CN112637360B (en) 2020-12-29 2020-12-29 System, method, device, processor and storage medium for realizing secure communication between mobile terminal and web

Publications (2)

Publication Number Publication Date
CN112637360A true CN112637360A (en) 2021-04-09
CN112637360B CN112637360B (en) 2023-03-24

Family

ID=75286450

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011605681.6A Active CN112637360B (en) 2020-12-29 2020-12-29 System, method, device, processor and storage medium for realizing secure communication between mobile terminal and web

Country Status (1)

Country Link
CN (1) CN112637360B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090106550A1 (en) * 2007-10-20 2009-04-23 Blackout, Inc. Extending encrypting web service
CN101964791A (en) * 2010-09-27 2011-02-02 北京神州泰岳软件股份有限公司 Communication authenticating system and method of client and WEB application
CN105210348A (en) * 2013-02-28 2015-12-30 微软技术许可有限责任公司 Symmetric key-based web tickets for authenticating clients of unified communications applications
US9369467B1 (en) * 2013-05-08 2016-06-14 Amdocs Software Systems Limited System, method, and computer program for providing generic access to web content on a mobile device
CN106713360A (en) * 2017-02-15 2017-05-24 上海市共进通信技术有限公司 Method for realizing web encrypted access and information encryption storage based on gateway device
US20180081638A1 (en) * 2016-09-16 2018-03-22 Powell Software Sas Collaborative development of a web-based service
CN108512666A (en) * 2018-04-08 2018-09-07 苏州犀牛网络科技有限公司 Encryption method, data interactive method and the system of API request
US20200007531A1 (en) * 2018-06-28 2020-01-02 Oracle International Corporation Seamless transition between web and api resource access

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090106550A1 (en) * 2007-10-20 2009-04-23 Blackout, Inc. Extending encrypting web service
CN101964791A (en) * 2010-09-27 2011-02-02 北京神州泰岳软件股份有限公司 Communication authenticating system and method of client and WEB application
CN105210348A (en) * 2013-02-28 2015-12-30 微软技术许可有限责任公司 Symmetric key-based web tickets for authenticating clients of unified communications applications
US9369467B1 (en) * 2013-05-08 2016-06-14 Amdocs Software Systems Limited System, method, and computer program for providing generic access to web content on a mobile device
US20180081638A1 (en) * 2016-09-16 2018-03-22 Powell Software Sas Collaborative development of a web-based service
CN106713360A (en) * 2017-02-15 2017-05-24 上海市共进通信技术有限公司 Method for realizing web encrypted access and information encryption storage based on gateway device
CN108512666A (en) * 2018-04-08 2018-09-07 苏州犀牛网络科技有限公司 Encryption method, data interactive method and the system of API request
US20200007531A1 (en) * 2018-06-28 2020-01-02 Oracle International Corporation Seamless transition between web and api resource access

Also Published As

Publication number Publication date
CN112637360B (en) 2023-03-24

Similar Documents

Publication Publication Date Title
CN112333198B (en) Secure cross-domain login method, system and server
US11895096B2 (en) Systems and methods for transparent SaaS data encryption and tokenization
CN111625781B (en) SDK authorization authentication method, device, equipment and storage medium
US20220197970A1 (en) Systems and methods for improved remote display protocol for html applications
US9294479B1 (en) Client-side authentication
WO2016188256A1 (en) Application access authentication method, system, apparatus and terminal
CN102946384B (en) User authentication method and equipment
CN103001770B (en) A kind of user rs authentication method, server and system
CN115361683B (en) A service access method, SIM card, server and service platform
CN108616540B (en) Platform authentication method and system based on cross-platform encryption algorithm and declarative filtering authentication
CN111818088A (en) Authorization mode management method and device, computer equipment and readable storage medium
CN111131308B (en) A service-based calling system and method
CN116055556B (en) Method, system, device and equipment for data exchange
US20250007895A1 (en) Secure Information Delivery in an Untrusted Environment
CN116032848B (en) Method and device for managing network traffic of client applications
CN116032510B (en) Data security protection system
CN115730319B (en) Data processing methods, apparatus, computer equipment and storage media
CN112242901B (en) Service verification methods, devices, equipment and computer storage media
CN112073366A (en) A data processing method and data center for railway financial system
CN112637360A (en) System, method, device, processor and storage medium for realizing secure communication between mobile terminal and web
CN117040766B (en) Block chain-based data processing method, device, equipment and readable storage medium
CN116055074B (en) Method and device for managing recommendation strategy
CN116405572A (en) Cloud browser access method, device, system and storage medium
Mendoza Jiménez Securing a REST API Server
CN114978681A (en) Service application authorization method and device based on block chain and processor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant