[go: up one dir, main page]

WO2025102601A1 - Procédé et système d'accès aux données, dispositif électronique, support de stockage et produit-programme - Google Patents

Procédé et système d'accès aux données, dispositif électronique, support de stockage et produit-programme Download PDF

Info

Publication number
WO2025102601A1
WO2025102601A1 PCT/CN2024/088086 CN2024088086W WO2025102601A1 WO 2025102601 A1 WO2025102601 A1 WO 2025102601A1 CN 2024088086 W CN2024088086 W CN 2024088086W WO 2025102601 A1 WO2025102601 A1 WO 2025102601A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
client
access
information
identification information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/088086
Other languages
English (en)
Chinese (zh)
Inventor
王泽宇
陈樟洪
蔡纯钢
莫元武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
eBaoTech Corp
Original Assignee
eBaoTech Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by eBaoTech Corp filed Critical eBaoTech Corp
Publication of WO2025102601A1 publication Critical patent/WO2025102601A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of data access technology, and in particular to a data access method, system, electronic device, storage medium and program product.
  • the present application provides a data access method, system, electronic device, storage medium and program product for authenticating the authority of a user client to access data, so as to prevent a user client without access authority from accessing data, thereby causing a data security risk.
  • the present application provides a data access method, which is applied to a server, and the method includes: receiving a data access request for first data sent by a client, the data access request including first authentication information corresponding to the first data, the first authentication information being sent by the server to the client in response to an authentication information acquisition request sent by the client before the data access request, and the first authentication information being generated by the server by signing first identification information corresponding to the first data according to first signature information corresponding to the first data; extracting first identification information and first signature information corresponding to the first data from the first authentication information included in the data access request; generating second signature information according to the first identification information; when the second signature information matches the first signature information, determining that the client has the authority to access the first data, and allowing the client to access the first data; when the second signature information does not match the first signature information, determining that the client does not have the authority to access the first data, and denying the client access to the first data.
  • the data access method provided by the implementation of the present application is that the server receives a data access request for the first data sent by the client, extracts the first identification information and the first signature information of the first data from the first authentication information included in the data access request, generates the second signature information according to the first identification information, and determines that the client has the right to access the first data when the second signature information matches the first signature information, and allows the client to access the first data; when the second signature information does not match the first signature information, the client is denied access to the first data.
  • the authentication verification of the client's access rights to any data can be implemented to prevent users without access rights from accessing the first data, which may lead to data leakage. Therefore, the data access method provided by the present application ensures the security of data access.
  • an authentication information acquisition request includes second identification information of the client
  • the first authentication information is sent to the client in response to the authentication information acquisition request sent by the client before the data access request, including: in response to the authentication information acquisition request, determining a target list according to the second identification information included in the authentication information acquisition request, the target list including identification information and corresponding authentication information of target data to which the client has access rights, the target data including first data, the identification information including first identification information, and the authentication information including first authentication information; and sending the target list to the client.
  • a target list is first determined based on the client's access request to the server, so as to generate a target list based on the identification information and signature information of the target data to which the client has access rights, and the target list is sent to the client.
  • the client subsequently accesses the data therein, it only needs to provide the authentication information (i.e., identification information and signature information) corresponding to the data, so that the server can verify the client's access rights to the data based on the authentication information.
  • the authority management of a single piece of data is realized, ensuring the security of data access.
  • the second identification information is the user identification information of the first user corresponding to the client
  • the target list is determined according to the second identification information included in the authentication information acquisition request, including: performing authentication processing on the first user according to the user identification information to obtain an authentication result; when the authentication result is that the authentication is passed, determining the target data to which the first user has access rights, and generating a target list based on the identification information and signature information of the target data.
  • the client accesses for the first time (that is, when sending a request to obtain authentication information)
  • the first user is first authenticated according to the user identification information of the first user corresponding to the client, so that after the first user passes the authentication, the corresponding target list is provided to the first user.
  • the first signature information is generated based on the first identification information; and the second signature information is generated based on the first identification information.
  • signature information corresponding to each data is generated according to the identification information of each data, so that the access rights of the client to each data are verified according to the signature information to ensure the security of the client accessing the data.
  • the method also includes: determining first user identification information of a first user, the first user being a user with access rights to the first data; generating first signature information based on the first identification information and the first user identification information; and generating second signature information based on the first identification information and the first user identification information.
  • signature information is generated based on the identification information of the data and the identification information of the user with access rights. In this way, unique signature information for the data can be generated for each user, preventing other users from accessing the data using the signature information of the user, further ensuring the security of data access.
  • the method further includes: if the data access request does not include the first authentication information, determining that the client does not have the authority to access the first data, and denying the client access to the first data.
  • the access request does not contain authentication information, it means that the client does not have access rights to the data, and the client's access to the data is denied, thereby ensuring the security of data access.
  • an implementation of the present application provides a data access method, which is applied to a client, and the method includes: sending a data access request for first data to a server, so that the server extracts first identification information and first signature information corresponding to the first data from first authentication information included in the data access request, generates second signature information based on the first identification information, and when the second signature information matches the first signature information, determines that the client has the authority to access the first data, and allows the client to access the first data; when the second signature information does not match the first signature information, determines that the client does not have the authority to access the first data, and denies the client access to the first data, and the first authentication information is generated by the server in response to the client in the data access request.
  • the authentication information acquisition request sent before the request is sent to the client, and the first authentication information is generated by the server by signing the first identification information corresponding to the first data according to the first signature information corresponding to the first data.
  • an embodiment of the present application provides a data access method, which is applied to a data access system, wherein the data access system includes a server and a client, and the method includes: the client sends a data access request for first data to the server, the data access request includes first authentication information corresponding to the first data, the first authentication information is sent to the client by the server in response to an authentication information acquisition request sent by the client before the data access request, and the first authentication information is generated by the server by signing first identification information corresponding to the first data according to first signature information corresponding to the first data; the server receives the data access request, and extracts first identification information and first signature information corresponding to the first data from the first authentication information included in the data access request; the server generates second signature information according to the first identification information; when the second signature information matches the first signature information, the server determines that the client has the authority to access the first data, and allows the client to access the first data; when the second signature information does not match the first signature information, the server determines that the client does not have the
  • an embodiment of the present application provides a data access system, including a client and a server, wherein the client is used to send a data access request for first data to the server, the data access request including first authentication information corresponding to the first data, the first authentication information is sent to the client by the server in response to an authentication information acquisition request sent by the client before the data access request, and the first authentication information is generated by the server by signing first identification information corresponding to the first data according to first signature information corresponding to the first data; the server is used to receive the data access request, extract the first identification information and first signature information corresponding to the first data from the first authentication information included in the data access request; generate second signature information according to the first identification information; when the second signature information matches the first signature information, determine that the client has the authority to access the first data, and allow the client to access the first data; when the second signature information does not match the first signature information, determine that the client does not have the authority to access the first data, and deny the client access to the first data.
  • an embodiment of the present application provides an electronic device, comprising: a processor, and a memory communicatively connected to the processor; the memory stores computer-executable instructions; the processor executes the computer-executable instructions stored in the memory to implement the data access method provided by the implementation method of the first aspect above, or the data access method provided by the implementation method of the second aspect, or the data access method provided by the implementation method of the third aspect.
  • an embodiment of the present application provides a computer-readable storage medium, in which computer-executable instructions are stored.
  • the computer-executable instructions are executed by a processor, they are used to implement the data access method provided by the implementation method of the first aspect above, or the data access method provided by the implementation method of the second aspect, or the data access method provided by the implementation method of the third aspect.
  • an embodiment of the present application provides a computer program product, including a computer program, which, when executed by a processor, implements the data access method provided by the implementation method of the first aspect above, or the data access method provided by the implementation method of the second aspect, or the data access method provided by the implementation method of the third aspect.
  • the data access method provided by the implementation mode of the present application is that after the client sends an authentication information acquisition request to the server, the server feeds back a target list to the client, and the target list includes identification information and authentication information of target data to which the client has access rights.
  • the server After the client sends a data access request (i.e., a data access request) for a certain data (e.g., the first data) to the server, the server extracts the identification information and signature information (i.e., the first signature information) corresponding to the data from the authentication information included in the data access request, and generates new signature information (i.e., the second signature information) based on the identification information.
  • the extracted signature information If the extracted signature information (i.e., the first signature information) matches the generated signature information (i.e., the second signature information), it means that the client has the authority to access the data, and the client is allowed to access the data. If the extracted signature information does not match the generated signature information, it means that the client does not have the authority to access the data, and the client is denied access to the data.
  • signature information can also be generated based on user identification information (i.e., the first user identification information) so that one user client corresponds to one signature information.
  • user identification information i.e., the first user identification information
  • FIG1 is a schematic diagram of the structure of a data access system provided in an embodiment of the present application.
  • FIG2 is a flow chart of a data access method corresponding to a server provided in an embodiment of the present application
  • FIG3 is a schematic diagram of a process for a server to obtain a target list according to an embodiment of the present application
  • FIG4 is a schematic diagram of a flow chart of a data access method corresponding to a client provided in an embodiment of the present application
  • FIG5 is a flow chart of a data access method corresponding to a data access system provided in an embodiment of the present application.
  • FIG6 is a schematic diagram of a flow chart of a data access system obtaining a target list according to an embodiment of the present application
  • FIG. 7 is a flow chart of another data access method corresponding to a data access system provided in an embodiment of the present application.
  • FIG8 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present application.
  • the current access control of data systems is based on user access rights to prevent malicious intrusions from having a significant impact on system network security. For example, after a user registers and logs in to a data system, the corresponding user client will obtain a unified access token for the user client to access the data system. The user client can subsequently access all resources and data in the data system based on the access token.
  • this method cannot achieve fine-grained control over data access and poses a data security risk.
  • permission verification is performed based on the user token when reading a single piece of data, access efficiency will be affected.
  • the implementation of the present application provides a data access system and a data access method, which can be controlled based on access to data (i.e., resources).
  • data i.e., resources
  • Each data will be assigned a data ID (i.e., resource ID), and a signature corresponding to the data can be generated based on the data ID.
  • a list of data that the user client can access i.e., a target list
  • the data list contains the data ID and the corresponding signature, and the data ID and the signature form a signed ID.
  • the user client subsequently accesses a single piece of data, it only needs to provide the signed ID, and the access permission is verified through the signature to avoid repeated verification of user identification information.
  • This method can control access to each resource, improve data security, and optimize the access efficiency of a single piece of data.
  • the data access system provided by the implementation of the present application includes a client 100 (i.e. The aforementioned user client) and the server 200.
  • the client 100 is used to send a data access request for the first data to the server 200, and the data access request includes first authentication information corresponding to the first data.
  • the first authentication information is sent to the client 100 by the server 200 in response to an authentication information acquisition request sent by the client 100 before the data access request, and the first authentication information is generated by the server 200 by signing the first identification information corresponding to the first data based on the first signature information corresponding to the first data.
  • the server 200 is used to receive a data access request, extract first identification information and first signature information corresponding to the first data from the first authentication information included in the data access request; generate second signature information based on the first identification information; when the second signature information matches the first signature information, determine that the client 100 has the access right to access the first data, and allow the client 100 to access the first data; when the second signature information does not match the first signature information, determine that the client 100 does not have the access right to access the first data, and deny the client 100 access to the first data.
  • the server 200 sends the first authentication information to the client 100 before the client 100 issues a data access request for the data. Subsequently, the client 100 sends a data access request for the first data to the server 200, and the server 200 obtains the first identification information and the first signature information in the first authentication information according to the data access request, and generates the second signature information according to the first identification information. If the second signature information matches the first signature information, the server 200 determines that the client 100 has the authority to access the first data, and the server 200 allows the client 100 to access the first data. If the first signature information and the second signature information do not match.
  • the server 200 determines that the client 100 does not have the authority to access the first data, and the server 200 denies the client 100 access to the first data. In this way, by setting authentication information for each data, the client 100 sends an access request carrying the authentication information when accessing the data. After the signature information in the authentication information is verified, the client 100 is allowed to access the data. This not only realizes the control of access rights to the data, but also eliminates the need for repeated verification of user identification information, thereby improving the security of data access and optimizing data access efficiency.
  • the client may be a front-end interface of an electronic device, or a first electronic device.
  • the server may be a back-end system of an electronic device, or a second electronic device or a cloud server.
  • the implementation of the present application provides a data access method, which is applied to a server 200 , and the method includes the following steps.
  • S110 receiving a data access request for first data sent by the client 100, the data access request including first authentication information corresponding to the first data, the first authentication information is sent by the server 200 to the client 100 in response to an authentication information acquisition request sent by the client 100 before the data access request, and the first authentication information is generated by the server 200 by signing first identification information corresponding to the first data based on first signature information corresponding to the first data.
  • S120 Extract first identification information and first signature information corresponding to the first data from the first authentication information included in the data access request.
  • S130 Generate second signature information according to the first identification information.
  • S140 When the second signature information matches the first signature information, it is determined that the client 100 has the authority to access the first data, and the client 100 is allowed to access the first data.
  • the server 200 when the server 200 receives the data access request sent by the client 100, the server 200 obtains the first identification information and the first signature information according to the first authentication information included in the data access request, generates the second signature information according to the first identification information, and allows the client 100 to access the first data if the second signature information matches the first signature information, and denies the client 100 access to the first data if the second signature information does not match the first signature information.
  • the client 100 can authenticate and verify the access rights to any data, so as to prevent users without access rights from accessing the first data and causing data leakage, thereby ensuring the security of data access.
  • step S110 a data access request for the first data sent by the client 100 is received, the data access request includes first authentication information corresponding to the first data, the first authentication information is sent to the client 100 by the server 200 in response to an authentication information acquisition request sent by the client 100 before the data access request, and the first authentication information is generated by the server 200 by signing the first identification information corresponding to the first data according to the first signature information corresponding to the first data.
  • the technical content is explained.
  • the server 200 needs to send the first identification information and the first signature information to the client 100 before the data access request.
  • a unique data ID when a protected piece of data is generated, when the data enters the system, a unique data ID will be generated according to the system rules, and this ID will not be signed. For example, the first data will generate a unique data ID.
  • the system rule for generating identification information may specifically be numbering according to the order of data, or numbering according to data characteristics, etc.
  • the authentication information acquisition request includes the second identification information of the client 100.
  • sending the first authentication information to the client in response to the authentication information acquisition request sent by the client before the data access request includes the following steps.
  • S111 in response to the authentication information acquisition request, determining a target list according to the second identification information included in the authentication information acquisition request, the target list including identification information of target data to which the client 100 has access rights and corresponding authentication information, the target data including first data, the identification information including first identification information, and the authentication information including first authentication information.
  • the server 200 when the server 200 receives the authentication information acquisition request sent by the client 100, the server 200 acquires the user identification information (as an example of the second identification information) of the user using the client 100 in the authentication information acquisition request.
  • the server 200 acquires the user identification information (as an example of the second identification information) of the user using the client 100 in the authentication information acquisition request.
  • the second identification information may also be device information such as the device number of the client 100, network information such as the network status and network type of the communication connection between the client 100 and the server 200, etc.
  • the server system i.e., the server 200
  • receives the user's query list request (as an example of a request to obtain authentication information)
  • the abbreviated information list When generating the abbreviated information list, it will generate signature information based on the unique data ID of each insurance policy and the signature generation algorithm provided by the insurance policy data management service, and generate a signed ID (as an example of authentication information) based on the signature information and the original data ID (i.e., the data ID) and return it to the client 100.
  • signature information based on the unique data ID of each insurance policy and the signature generation algorithm provided by the insurance policy data management service
  • a signed ID as an example of authentication information
  • the resource owner (that is, the data management service) will develop a signature generation algorithm, which receives the data ID as an input parameter and outputs a signature. That is, in the implementation of this application, the signature information is generated based on the identification information. For example, the first signature information is generated based on the first identification information.
  • using a signature generation algorithm to sign data is to encrypt the data based on a secret key to generate encrypted data.
  • the first identification information corresponding to the first data is signed according to the first signature information corresponding to the first data to generate the first authentication information.
  • the first identification information corresponding to the first data is signed according to the first signature information corresponding to the first data.
  • the first signature information and the first identification information are combined (as an example of signing) to generate the first authentication information.
  • the first identification information can also be encrypted according to the first signature information (as another example of signing) to generate the first authentication information.
  • the server 200 learns that the client 100 is allowed to view two insurance policy data with policyIDs 111 and 222 (as examples of target data), and obtains the signature corresponding to each policyID through the above-mentioned signature generation algorithm, splices the signature behind the identification information, and returns it to the client 100.
  • a target list is determined according to the second identification information included in the authentication information acquisition request, the target list includes authentication information of target data to which the client 100 has access rights, the target data includes first data, the identification information includes first identification information, and the authentication information includes first authentication information.
  • the first user is authenticated according to the user identification information to obtain an authentication result.
  • the authentication result is that the authentication is passed
  • the data to which the first user has access rights (as an example of target data) is determined, and a target list is generated according to the identification information and signature information of the target data.
  • any information such as user identification information, client device information, network information, etc. can be authenticated, or authentication can be performed one by one based on user identification information, client device information, network information, etc. to obtain the corresponding target data.
  • the client 100 when the client 100 sends a request to obtain authentication information, the first user corresponding to the client 100 is first authenticated, so as to determine the target data to which the first user has access rights after authenticating that the first user has access rights to the server system, so as to generate a target list.
  • the target list includes data IDs (as an example of identification information of target data) to which the first user corresponding to the client 100 has access rights and corresponding signed IDs (as an example of authentication information of target data).
  • the user can initiate an access request for the first data (as an example of a data access request), and the authentication information included in the access request includes the data ID of the first data (as an example of the first identification information) and the signature corresponding to the first data (as an example of the first signature information).
  • the server 200 after determining the target data to which the client 100 has access rights according to the identification information of the client 100 , the server 200 generates a target list and sends the target list to the client 100 .
  • the second identification information is the device number and other information of the client 100
  • it is verified based on the device number and other information whether the client 100 has the authority to access the server 200 system. If it has the authority, a target list of the client 100 with access rights is generated based on the device number and other information.
  • the second identification information is network information, then it is verified based on the network information whether the client 100 has the authority to access the server system. If it has the authority, a target list of objects that the client 100 has access rights to is generated based on the network information.
  • step S111 - step S112 are the prerequisite steps of step S110.
  • the client 100 after the client 100 receives the target list, if it needs to view the specific and complete information of a policy in the target list later, the user only needs to obtain the authentication information of the data with the correct signature information and identification information to issue an access request to the server 200.
  • the server 200 after receiving the data access request for the first data, extracts the data ID and the signature information from the first authentication information.
  • the first data in the first authentication information is taken as the data ID
  • the second data is taken as the signature information.
  • the server 200 determines that the client 100 has access rights to the data
  • the title, introduction, brief description and other information of the data will be displayed on the client interface.
  • the client 100 will automatically send the authentication information to the server 200 so that the server 200 can verify the access rights of the client 100.
  • step S130 the technical content of generating the second signature information according to the first identification information in step S130 is described.
  • the second signature information is generated according to the first identification information using the signature generation algorithm used to generate the first signature information.
  • the signature generation algorithm may specifically be any one of the signature generation algorithms such as MD5, SHSA1, SHA256, HMAC-SHA1, HMAC-SHA256, RSA, MD5WithRSA, SHA1WithRSA, etc.
  • a signature generation algorithm is used to encrypt the identification information of the data.
  • the signature generation algorithm for generating the first signature information and the signature generation algorithm for generating the second signature information must be consistent.
  • the first signature information is generated according to the first identification information
  • the second signature information is also generated according to the first identification information, so that it is possible to verify whether the second signature information is consistent with the first signature information.
  • step S140 when the second signature information matches the first signature information, it is determined that the client 100 has the authority to access the first data, and the technical content of allowing the client 100 to access the first data is explained.
  • the second signature information is matched and verified with the first signature information. If the second signature information matches the first signature information, it means that the first identification information and the corresponding first signature information of the first data sent by the client 100 are the first identification information and the first signature information corresponding to the first data previously sent by the server 200. Therefore, the first authentication information has not been tampered with, the client 100 has the authority to access the first data, and the client 100 is allowed to access the first data.
  • the server 200 when the client 100 issues the first access, the server 200 returns the target data in the target list to the client 100.
  • the target data in the target list is the data that the client 100 has access rights to, and the authentication information corresponding to the target data generated based on the identification information and the corresponding signature information is the correct authentication information that the client 100 can access the data.
  • the client 100 initiates access to the data object (that is, data)
  • the authentication information is used to access the data object
  • the identification information in the authentication information needs to be signed and verified again to prevent the user corresponding to the client 100 from privately changing the authentication information in the access request, such as privately changing the correspondence between the identification information and the signature information to obtain data that the client does not have access rights to.
  • the accuracy of the authority authentication can be improved.
  • step S150 the technical content of determining that the client 100 does not have the authority to access the first data and denying the client 100 access to the first data in step S150 when the second signature information does not match the first signature information is described.
  • the second signature information and the first signature information are matched and verified. If the signature information does not match, it means that the first identification information and the corresponding first signature information of the first data sent by the client 100 are not the first identification information and the first signature information corresponding to the first data previously sent by the server 200. Therefore, the first authentication information has been tampered with, the client 100 does not have the authority to access the first data, and the client 100 is denied access to the first data.
  • the second signature information is generated, it is compared with 'aaa' in the request. If they match, the client 100 is allowed to access the detailed policy information of the first data. If they do not match, the client 100 is denied access to the detailed policy information of the first data.
  • step S110 if the data access request does not include the first authentication information, the server 200 denies the client 100 access to the first data.
  • step S120 if the server 200 fails to obtain the first identification information and/or the first signature information according to the first authentication information included in the data access request, the server 200 denies the client 100 access to the first data.
  • the first signature information may also be generated in the following manner.
  • the server 200 determines the user (as an example of the first user) corresponding to the client 100 that can access the first data (that is, the first user is a user with access rights to the first data), and generates signature information using a signature generation algorithm based on the user identification information of the user (such as user code or user account (such as UserId) and data ID of the first data.
  • the signature information of different users is different, which prevents the second user who does not have access rights from using the authentication information of the first user to access the first data after knowing the authentication information of the first user to access the first data, thereby ensuring the security of user access to data.
  • the server 200 determines the user identification information of the user who can access the first data, and generates the first signature information corresponding to each user according to the first identification information of the first data and the user identification information.
  • the server 200 when the server 200 receives the user's first access request, it obtains the user's user identification information and determines the data list that the user can access. For each piece of data in the data list, the server 200 generates the signature information corresponding to each piece of data based on the data identification information and user identification information of the data.
  • user A has the authority to access policy 111
  • user B also has the authority to access policy 111
  • the policy 111 and signature information generated based on user A are not the same as the signature information of policy 111 generated based on user B. If user C uses the signature information of user A or user B to access policy 111, user C's access request will be rejected due to incorrect signature information.
  • step S130 when generating the second signature information, it is also necessary to generate the second signature information based on the first identification information and the first user identification information.
  • the user identification information of the user who will be able to perform query or access operations in the future can be combined to generate a unique signature information that binds the user and the data ID.
  • the signature information is spliced after the data ID and returned to the client 100.
  • the client 100 subsequently issues an access request based on the authentication information.
  • the client 100 After the client 100 receives the target list, if it needs to view the specific and complete information of a policy in the target list later, the user only needs to obtain the authentication information of the data with the correct signature information and identification information to issue an access request to the server 200.
  • the second signature information is generated according to the first identification information and the user identification information using a signature generation algorithm for generating the first signature information.
  • the server 200 uses the signature generation algorithm to sign '111' and the user identification information therein to obtain the second signature information, and performs matching verification on the second signature information and the first signature information to obtain the client 100's permission to access the first data according to the matching result.
  • the data access method provided by the implementation of the present application is that when the client 100 sends an access request (that is, a request to obtain authentication information), the server 200 feeds back a target list to the client 100, and the target list includes the authentication information of the target data to which the client 100 has access rights.
  • the server 200 determines the identification information and signature information corresponding to the data according to the authentication information included in the access request, and generates new signature information according to the identification information. If the extracted signature information matches the generated signature information, it means that the client 100 has the right to access the data, and the client 100 is allowed to access the data. If the extracted signature information does not match the generated signature information, it means that the client 100 does not have the right to access the data, and the client 100 is denied access to the data.
  • signature information can also be generated based on user identification information/client device information/network information, so that one user/client corresponds to one signature.
  • signature information can also be generated based on user identification information/client device information/network information, so that one user/client corresponds to one signature.
  • the data access system performs data access control based on the signature information corresponding to the data ID. It generates a unique data ID for each protected data, and uses a signature generation algorithm to take the data ID as input and output a signature.
  • a data list i.e., sends an authentication information acquisition request
  • the server returns a data list (i.e., a target list), and includes the original data ID and the signed ID (i.e., the authentication information) in each data.
  • the signed ID is provided.
  • the server After receiving the access request, the server extracts the original data ID and signature information (i.e., the first signature information) from the signed ID, and regenerates the signature information (i.e., the second signature information) using the original data ID and the signature generation algorithm, and matches it with the extracted signature information. Only when the signature information matches, the user's access request to the data will be approved. In this way, the access rights to a single piece of data can be controlled to ensure the security of data access.
  • the original data ID and signature information i.e., the first signature information
  • the signature information i.e., the second signature information
  • the data access method provided by the implementation of the present application can also be applied to the client 100, and the client 100 sends a data access request for the first data to the server 200, so that the server 200 extracts the first identification information and the first signature information corresponding to the first data from the first authentication information included in the data access request, generates the second signature information according to the first identification information, and when the second signature information matches the first signature information, determines that the client 100 has the authority to access the first data, and allows the client 100 to access the first data; when the second signature information does not match the first signature information, determines that the client 100 does not have the authority to access the first data, and denies the client 100 access to the first data, and the first authentication information is sent to the client 100 by the server 200 in response to the authentication information acquisition request sent by the client 100 before the data access request, and the first authentication information is generated by the server 200 by signing the first identification information corresponding to the first data according to the first signature information corresponding to the first data.
  • the client 100 sends a request to access the first data (ie, a data access request), the data access request includes the first authentication information, and the server 200 determines the first identifier based on the first authentication information included in the data access request.
  • Information and the first signature information after generating the second signature information according to the first identification information, if the second signature information matches the first signature information, the client 100 accesses the first data; if the second signature information does not match the first signature information, the client 100 does not access the first data.
  • the client 100 specifically performs the following steps.
  • the client 100 sends an authentication information acquisition request to the server 200 , where the authentication information acquisition request includes the second identification information of the client 100 .
  • the client 100 receives a target list, wherein the target list is determined based on the second identification information included in the authentication information acquisition request by the server 200, the target list includes authentication information of target data to which the client 100 has access rights, the target data includes first data, the identification information includes first identification information, and the authentication information includes first authentication information.
  • the client 100 sends a data access request for the first data, so that the server 200 determines whether the client 100 has the authority to access the first data.
  • the client 100 sends a request for accessing a target list (that is, a request for obtaining authentication information), and the server 200 determines the target data to which the client 100 has access rights based on the identification information of the client 100 to generate a target list.
  • the server 200 sends the target list to the client 100, and the client 100 receives the target list.
  • the client 100 sends a data access request for the first data, so that the server 200 determines the first identification information and the first signature information based on the first authentication information included in the data access request.
  • the client 100 After generating the second signature information based on the first identification information, if the second signature information matches the first signature information, the client 100 accesses the first data, and if the second signature information does not match the first signature information, the client 100 does not access the first data.
  • steps S210 to S230 may refer to the technical solutions of the aforementioned steps S110 to S150 and the aforementioned steps S111 to S112.
  • the data access method provided by the implementation of the present application can also be applied to a data access system.
  • the data access method includes the following steps.
  • the client 100 sends a data access request for the first data to the server 200, the data access request includes first authentication information corresponding to the first data, the first authentication information is sent by the server 200 to the client 100 in response to an authentication information acquisition request sent by the client 100 before the data access request, and the first authentication information is generated by the server 200 by signing the first identification information corresponding to the first data according to the first signature information corresponding to the first data.
  • the server 200 receives a data access request, and extracts first identification information and first signature information corresponding to the first data from the first authentication information included in the data access request.
  • the server 200 generates second signature information according to the first identification information.
  • the server 200 determines that the client 100 has the authority to access the first data, and allows the client 100 to access the first data.
  • S350 When the second signature information does not match the first signature information, the server 200 determines that the client 100 does not have the authority to access the first data, and denies the client 100 access to the first data.
  • the client 100 sends a request for accessing the first data (i.e., a data access request) to the server 200.
  • the server 200 determines the first identification information and the first signature information based on the first authentication information included in the data access request. After generating the second signature information based on the first identification information, if the second signature information matches the first signature information, the client 100 is allowed to access the first data. If the second signature information does not match the first signature information, the client 100 is denied access to the first data.
  • steps S310 to S350 may refer to the technical solutions of the aforementioned steps S110 to S150.
  • the target list of target data composed of the first identification information and the first signature information is obtained in the following manner.
  • the client 100 sends an authentication information acquisition request to the client 100 , where the authentication information acquisition request includes the second identification information of the client 100 .
  • the server 200 determines a target list according to the second identification information included in the authentication information acquisition request, the target list includes authentication information of target data to which the client 100 has access rights, the target data includes first data, the identification information includes first identification information, and the authentication information includes first authentication information.
  • the server 200 sends the target list to the client 100 .
  • the client 100 sends a request for accessing a target list (i.e., a request for obtaining authentication information) to the server 200.
  • the server 200 determines the target data to which the client 100 has access rights based on the identification information of the client 100 to generate a target list.
  • the server 200 sends the target list to the client 100.
  • the client 100 receives the target list so that it can subsequently access the data in the target list based on the authentication information in the target list.
  • steps S311 to S313 may refer to the technical solutions of the aforementioned steps S111 to S112.
  • the server 200 when the server 200 receives an access request from the client 100 to the system (i.e., an authentication information acquisition request), it first generates a target list of target data to which the client has access rights based on the identification information of the client 100, and feeds the target list back to the client 100 (see steps S311 to S313).
  • the client 100 subsequently issues an access request to access a certain data in the target list (i.e., a data access request)
  • the server obtains the identification information and signature information of the data based on the authentication information included in the data access request, and verifies the signature information to determine the client 100's access rights to the data (see steps S310 to S350).
  • the client 100 sends an authentication information acquisition request to the client 100 , where the authentication information acquisition request includes the second identification information of the client 100 .
  • the server 200 determines a target list according to the second identification information included in the authentication information acquisition request, the target list includes authentication information of target data to which the client 100 has access rights, the target data includes first data, the identification information includes first identification information, and the authentication information includes first authentication information.
  • the server 200 sends the target list to the client 100.
  • the client 100 sends a data access request for the first data to the server 200, the data access request includes first authentication information, and the first authentication information is generated based on the first signature information and the first identification information of the first data.
  • the client 100 sends a data access request for the first data to the server 200, the data access request includes first authentication information corresponding to the first data, the first authentication information is sent by the server 200 to the client 100 in response to an authentication information acquisition request sent by the client 100 before the data access request, and the first authentication information is generated by the server 200 by signing the first identification information corresponding to the first data according to the first signature information corresponding to the first data.
  • the server 200 receives a data access request, and extracts first identification information and first signature information corresponding to the first data from the first authentication information included in the data access request.
  • the server 200 generates second signature information according to the first identification information.
  • the server 200 determines that the client 100 has the authority to access the first data, and allows the client 100 to access the first data.
  • S350 When the second signature information does not match the first signature information, the server 200 determines that the client 100 does not have the authority to access the first data, and denies the client 100 access to the first data.
  • the data access method provided by the implementation of this application can finely control the access to each data resource, while ensuring that the data While ensuring data security, it provides efficient access efficiency for legitimate users. Moreover, the granularity of data access control reaches the resource level. In addition, in the implementation of this application, by using the signed ID (that is, authentication information), repeated permission verification is avoided for a single piece of data, thereby optimizing access efficiency.
  • the signed ID that is, authentication information
  • API Application Programming Interface
  • institutional permissions and other multiple dimensions of permission control. It is necessary to go through layers of filtering in various subsystems on the server to obtain a series of data IDs that users have access to all selected target data, and sign them when returning them to the user, and return the data ID and signature information to the user together.
  • subsequent users use the signed ID to access the data, they only need to use a simple verification using the signature generation algorithm. If the signature matches, it can be determined that the data ID was obtained by the previous user through complex permission verification, rather than filled in privately, because the signed ID filled in privately cannot obtain the correct signature information. In this way, when accessing data, there is no need to go through multiple layers of verification, which optimizes the access efficiency of a single piece of data.
  • the data access method provided by the implementation method of the present application is not only used in the insurance field to perform policy data access control, but can also be applied to any other field, such as any field that requires data security protection, to achieve data access control through the data access method provided by the implementation method of the present application.
  • the data access method provided by the implementation of the present application can also be applied to an electronic device, which includes a data access system, or includes a server 200, or includes a client 100.
  • the data access method is implemented by the electronic device based on a processor to implement the data access method executed by the server 200 or the client 100 or the data access system.
  • Fig. 8 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present application.
  • the electronic device may include: a transceiver 121, a processor 122, and a memory 123.
  • the processor 122 executes the computer execution instructions stored in the memory, so that the processor 122 executes the scheme in the above embodiment.
  • the processor 122 can be a general-purpose processor, including a central processing unit CPU, a network processor (NP), etc.; it can also be a digital signal processor DSP, an application-specific integrated circuit ASIC, a field programmable gate array FPGA or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components.
  • the memory 123 is connected to the processor 122 via a system bus and completes communication between them.
  • the memory 123 is used to store computer program instructions.
  • the memory 123 may include a hard disk drive (HDD), a floppy disk drive, flash memory, an optical disk, a magneto-optical disk, a tape, or a universal serial bus (USB) drive, or a combination of two or more of these.
  • the memory 123 may include a removable or non-removable (or fixed) medium.
  • the memory 123 may be inside or outside the integrated gateway device.
  • the memory 123 is a non-volatile solid-state memory.
  • the memory 123 includes a read-only memory (ROM).
  • the ROM may be a mask-programmed ROM, a programmable ROM (PROM), an erasable PROM (EPROM), an electrically erasable PROM (EEPROM), an electrically rewritable ROM (EAROM), or flash memory, or a combination of two or more of these.
  • PROM programmable ROM
  • EPROM erasable PROM
  • EEPROM electrically erasable PROM
  • EAROM electrically rewritable ROM
  • flash memory or a combination of two or more of these.
  • the transceiver 121 may be used to obtain tasks to be executed and configuration information of the tasks to be executed.
  • the system bus can be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the system bus can be divided into an address bus, a data bus, a control bus, etc. For ease of representation, only one thick line is used in the figure, but it does not mean that there is only one bus or one type of bus.
  • the transceiver is used to realize the communication between the database access device and other computers (such as clients, read-write libraries, and read-only libraries).
  • the memory may include random access memory (RAM) and may also include non-volatile memory (non-volatile memory).
  • the electronic device provided in the embodiment of the present application may be the terminal device of the above embodiment.
  • the aforementioned load unit may also be a load balancing device
  • the front-end unit may be an external front-end device
  • the application service unit may be a data access application device. Therefore, the data access system in the implementation of the present application may also be composed of multiple electronic devices, each of which works together to implement the above data access method.
  • An embodiment of the present application also provides a chip for executing instructions, which is used to execute the technical solution of the data access method in the above embodiment.
  • An embodiment of the present application further provides a computer-readable storage medium, in which computer instructions are stored.
  • the computer instructions When the computer instructions are executed on a computer, the computer executes the technical solution of the data access method of the above embodiment.
  • various aspects of the method provided in the present application may also be implemented in the form of a program product, which includes program code.
  • the program product When the program product is run on a computer device, the program code is used to enable the computer device to execute the steps of the method according to various exemplary embodiments of the present application described above in this specification.
  • the computer device may execute the data access method recorded in the embodiments of the present application.
  • the program product may employ any combination of one or more readable media.
  • the readable medium may be a readable signal medium or a readable storage medium.
  • the readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination of the above. More specific examples of readable storage media (a non-exhaustive list) include: an electrical connection with one or more wires, a portable disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the above.
  • the implementation method of the present application also provides a computer program product, which includes a computer program stored in a computer-readable storage medium. At least one processor can read the computer program from the computer-readable storage medium. When at least one processor executes the computer program, it can implement the technical solution of the data access method in the above embodiment.
  • These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable information processing device to operate in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
  • These computer program instructions may also be loaded onto a computer or other programmable information processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

La présente demande concerne un procédé et un système d'accès aux données, un dispositif électronique, un support de stockage et un produit-programme. Le procédé est appliqué à un serveur, et comprend les étapes suivantes : le serveur reçoit d'un client une demande d'accès aux données concernant des premières données ; extrait, des premières informations d'authentification comprises dans la demande d'accès aux données, des premières informations d'identification et des premières informations de signature correspondant aux premières données ; sur la base des premières informations d'identification, génère des secondes informations de signature ; lorsque les secondes informations de signature sont mises en correspondance avec les premières informations de signature, détermine que le client a la permission d'accéder aux premières données et permet au client d'accéder aux premières données ; et, lorsque les secondes informations de signature ne sont pas mises en correspondance avec les premières informations de signature, détermine que le client n'a pas l'autorisation d'accéder aux premières données, et rejette l'accès du client aux premières données. Ainsi, la présente demande permet d'authentifier et de vérifier l'autorisation de clients d'accéder à n'importe quelles données, de façon à empêcher des utilisateurs sans autorisation d'accès d'accéder à des premières données, garantissant ainsi une sécurité d'accès aux données.
PCT/CN2024/088086 2023-11-13 2024-04-16 Procédé et système d'accès aux données, dispositif électronique, support de stockage et produit-programme Pending WO2025102601A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202311507547.6A CN117499122A (zh) 2023-11-13 2023-11-13 数据访问方法、系统、电子设备、存储介质及程序产品
CN202311507547.6 2023-11-13

Publications (1)

Publication Number Publication Date
WO2025102601A1 true WO2025102601A1 (fr) 2025-05-22

Family

ID=89674132

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/088086 Pending WO2025102601A1 (fr) 2023-11-13 2024-04-16 Procédé et système d'accès aux données, dispositif électronique, support de stockage et produit-programme

Country Status (2)

Country Link
CN (1) CN117499122A (fr)
WO (1) WO2025102601A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117499122A (zh) * 2023-11-13 2024-02-02 易保网络技术(上海)有限公司 数据访问方法、系统、电子设备、存储介质及程序产品

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1633084A (zh) * 2004-12-28 2005-06-29 北京邮电大学 用于应用服务器的基于令牌的细粒度访问控制系统及方法
WO2017042400A1 (fr) * 2015-09-11 2017-03-16 Dp Security Consulting Sas Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'éléments sécurisés limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime
CN115987547A (zh) * 2022-11-02 2023-04-18 四川大学 一种多平台互联互通的云连接器系统
CN117499122A (zh) * 2023-11-13 2024-02-02 易保网络技术(上海)有限公司 数据访问方法、系统、电子设备、存储介质及程序产品

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1633084A (zh) * 2004-12-28 2005-06-29 北京邮电大学 用于应用服务器的基于令牌的细粒度访问控制系统及方法
WO2017042400A1 (fr) * 2015-09-11 2017-03-16 Dp Security Consulting Sas Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'éléments sécurisés limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime
CN115987547A (zh) * 2022-11-02 2023-04-18 四川大学 一种多平台互联互通的云连接器系统
CN117499122A (zh) * 2023-11-13 2024-02-02 易保网络技术(上海)有限公司 数据访问方法、系统、电子设备、存储介质及程序产品

Also Published As

Publication number Publication date
CN117499122A (zh) 2024-02-02

Similar Documents

Publication Publication Date Title
TWI762926B (zh) 存取控制方法和存取控制裝置
US9166966B2 (en) Apparatus and method for handling transaction tokens
US8713672B2 (en) Method and apparatus for token-based context caching
US8572686B2 (en) Method and apparatus for object transaction session validation
US8566918B2 (en) Method and apparatus for token-based container chaining
US8806602B2 (en) Apparatus and method for performing end-to-end encryption
US8752157B2 (en) Method and apparatus for third party session validation
KR20170092642A (ko) 기대치에 따른 데이터 보안 작동
US8458781B2 (en) Method and apparatus for token-based attribute aggregation
US20240037643A1 (en) Method and system for digital contents by use of rental nft
US8572690B2 (en) Apparatus and method for performing session validation to access confidential resources
US8572724B2 (en) Method and apparatus for network session validation
US20130047214A1 (en) Method and apparatus for token-based combining of authentication methods
WO2021164598A1 (fr) Système de vérification d'autorisation, procédé et appareil pour application, et support de stockage
US10158623B2 (en) Data theft deterrence
WO2025102601A1 (fr) Procédé et système d'accès aux données, dispositif électronique, support de stockage et produit-programme
CN112433985A (zh) 控制提交给计算系统的信息的组合
US20130047215A1 (en) Method and apparatus for token-based reassignment of privileges
CN115643061A (zh) 微服务网关鉴权方法、装置、设备及介质
KR20250135250A (ko) 리소스에 액세스하기 위한 액세스 게이트웨이 시스템
US8726340B2 (en) Apparatus and method for expert decisioning
US8584201B2 (en) Method and apparatus for session validation to access from uncontrolled devices
US8572688B2 (en) Method and apparatus for session validation to access third party resources
US20130047265A1 (en) Method and Apparatus for Token-Based Conditioning
US8572687B2 (en) Apparatus and method for performing session validation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24889974

Country of ref document: EP

Kind code of ref document: A1