CN114238916B - Communication methods, devices, computer equipment and storage media - Google Patents

Communication methods, devices, computer equipment and storage media

Info

Publication number
CN114238916B
CN114238916B CN202111492000.4A CN202111492000A CN114238916B CN 114238916 B CN114238916 B CN 114238916B CN 202111492000 A CN202111492000 A CN 202111492000A CN 114238916 B CN114238916 B CN 114238916B
Authority
CN
China
Prior art keywords
certificate
cloud
server
target server
transaction message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111492000.4A
Other languages
Chinese (zh)
Other versions
CN114238916A (en
Inventor
杨成海
赵娜
谢晖
钱俊杰
吴孟晴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
China Construction Bank Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp filed Critical China Construction Bank Corp
Priority to CN202111492000.4A priority Critical patent/CN114238916B/en
Publication of CN114238916A publication Critical patent/CN114238916A/en
Application granted granted Critical
Publication of CN114238916B publication Critical patent/CN114238916B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Finance (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Accounting & Taxation (AREA)
  • Health & Medical Sciences (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Technology Law (AREA)
  • Strategic Management (AREA)
  • Marketing (AREA)
  • Development Economics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

本申请涉及一种通信方法、装置、计算机设备和存储介质。通过目标服务器,基于云服务器发送的证书申请请求中的用户身份信息生成证书信息并返回,云服务器将目标服务器发送的证书信息中的第一证书以及第二证书中的本地证书进行保存,并将第二证书中的云端证书发送至目标服务器进行保存;目标服务器根据云端证书、云服务器发送的通信请求中的本地证书和第一证书对云服务器进行验证通过后与云服务器建立通信连接。相较于传统的通过物理硬件接入银行系统的方式,本方案利用与用户身份对应的证书信息作为验证依据,并且将证书信息分割为本地存储的证书和云端存储的证书,防止被他人盗用,提高了访问银行系统的安全性。

This application relates to a communication method, apparatus, computer device, and storage medium. A target server generates and returns certificate information based on the user identity information in a certificate application request sent by a cloud server. The cloud server saves the first certificate from the certificate information sent by the target server and the local certificate from the second certificate, and sends the cloud certificate from the second certificate to the target server for storage. The target server verifies the cloud server based on the cloud certificate, the local certificate in the communication request sent by the cloud server, and the first certificate, and establishes a communication connection with the cloud server after successful verification. Compared to traditional methods of accessing banking systems through physical hardware, this solution uses certificate information corresponding to the user's identity as the verification basis and segments the certificate information into locally stored certificates and cloud-stored certificates to prevent unauthorized use and improve the security of accessing the banking system.

Description

Communication method, communication device, computer equipment and storage medium
Technical Field
The present application relates to the field of big data access technologies, and in particular, to a communication method, apparatus, computer device, and storage medium.
Background
The bank is one of important mechanisms needed in daily life of people, with the development of network technology, online banking technology appears, users can access a bank system through a network, a bank server is an important system, security of the bank server needs to be ensured, and currently, in order to ensure security of the bank server, users need to use specific physical hardware as identity certificates for accessing the bank server when accessing the bank server. However, access to the bank server by means of physical hardware presents a high risk of loss, leading to the occurrence of security incidents.
Therefore, the current method for accessing the bank server by means of physical hardware has the defect that the method for communicating with the bank has lower safety because the physical hardware is easy to lose and the safety accident can be caused once the physical hardware is lost.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a communication method, apparatus, computer device, and storage medium that can improve security of access to a bank server.
A communication method applied to a cloud server, the method comprising:
the method comprises the steps of generating a certificate application request according to user identity information corresponding to a cloud server and sending the request to a target server, wherein the target server is used for generating certificate information according to the user identity information and returning the certificate information, the certificate information comprises a first certificate and a second certificate, the second certificate comprises a local certificate and a cloud certificate, and the encryption algorithm of the first certificate is different from that of the second certificate;
the method comprises the steps of obtaining certificate information sent by a target server, storing the first certificate and the local certificate, and sending the cloud certificate to the target server;
And the target server is used for establishing communication connection with the cloud server after the cloud server is verified according to the cloud certificate, the local certificate and the first certificate.
In one embodiment, the first certificate is an RSA certificate, the second certificate is an SM2 certificate, the local certificate is a local SM2 certificate, and the cloud certificate is a cloud SM2 certificate;
the obtaining the certificate information sent by the target server, storing the first certificate and the local certificate, and sending the cloud certificate to the target server includes:
Acquiring an RSA certificate and an SM2 certificate sent by the target server;
Storing the RSA certificate and the local SM2 certificate, and sending the cloud SM2 certificate to the target server, wherein the target server is used for storing the cloud SM2 certificate.
In one embodiment, the sending, according to the first certificate and the local certificate, a communication request to the target server includes:
the generation request information includes the RSA certificate and the bidirectional hypertext transfer security protocol communication request of the local SM2 certificate, and is sent to the target server.
In one embodiment, after the sending the communication request to the target server according to the first certificate and the local certificate, the method further includes:
Receiving a transaction request, generating a collaborative signature request according to a transaction message, and sending the collaborative signature request to the target server; the target server is used for sending a processing passing result to the cloud server after the collaborative signature request is processed;
Receiving a processing passing result sent by the target server, generating a transaction message signature corresponding to the transaction message, and encrypting the transaction message to obtain an encrypted transaction message;
Sending the encrypted transaction message and the transaction message signature to the target server; the target server is used for processing the transaction message after the signature verification of the encrypted transaction message and the transaction message is passed.
A communication method applied to a target server, the method comprising:
Receiving a certificate application request of which the request information comprises user identity information sent by a cloud server, generating corresponding certificate information according to the user identity information, and returning the corresponding certificate information to the cloud server; the certificate information comprises a first certificate and a second certificate; the second certificate comprises a local certificate and a cloud certificate; the cloud server is used for storing the first certificate and the local certificate and sending the cloud certificate to the target server;
receiving and storing the cloud certificate sent by the cloud server;
The request information sent by the cloud server is obtained and comprises a communication request of the first certificate and the local certificate, the cloud certificate, the local certificate and the first certificate are verified, and when verification passes, communication connection is established with the cloud server.
In one embodiment, after the communication connection is established with the cloud server when the verification is passed, the method further includes:
the collaborative signature request sent by the cloud server is obtained, and after the system signature request is processed through a secure server interface, a processing passing result is sent to the cloud server; the cloud server is used for receiving the processing passing result and sending the encrypted transaction message and the transaction message signature to the target server;
And acquiring the encrypted transaction message and the transaction message signature, decrypting the encrypted transaction message, verifying the decrypted transaction message and the transaction message signature through the security server interface, and processing the transaction message if the verification is passed.
A communication system includes a cloud server and a target server:
the cloud server is used for generating a certificate application request according to user identity information corresponding to the cloud server and sending the certificate application request to the target server;
the target server is used for receiving a certificate application request of user identity information, which is sent by a cloud server, generating corresponding certificate information according to the user identity information and returning the corresponding certificate information to the cloud server, wherein the certificate information comprises a first certificate and a second certificate;
The cloud server is used for storing the first certificate and the local certificate and sending the cloud certificate to the target server;
the target server is used for storing the cloud certificate;
the cloud server is used for sending a communication request to the target server according to the first certificate and the local certificate;
And the target server is used for establishing communication connection with the cloud server after the cloud server is verified according to the cloud certificate, the local certificate and the first certificate.
A communication device for application to a cloud server, the device comprising:
The application module is used for generating a certificate application request according to user identity information corresponding to the cloud server and sending the request to a target server, wherein the target server is used for generating certificate information according to the user identity information and returning the certificate information, the certificate information comprises a first certificate and a second certificate, the second certificate comprises a local certificate and a cloud certificate, and the encryption algorithm of the first certificate is different from that of the second certificate;
The acquisition module is used for acquiring the certificate information sent by the target server, storing the first certificate and the local certificate and sending the cloud certificate to the target server;
the cloud server comprises a cloud server, a communication module and a target server, wherein the cloud server is used for receiving a first certificate, the local certificate and the cloud server, the communication module is used for sending a communication request to the target server according to the first certificate and the local certificate, and the target server is used for establishing communication connection with the cloud server after the cloud server is verified according to the cloud certificate, the local certificate and the first certificate.
In one embodiment, the first certificate is an RSA certificate, the second certificate is an SM2 certificate, the local certificate is a local SM2 certificate, and the cloud certificate is a cloud SM2 certificate;
The acquisition module is specifically configured to:
Acquiring an RSA certificate and an SM2 certificate sent by the target server;
Storing the RSA certificate and the local SM2 certificate, and sending the cloud SM2 certificate to the target server, wherein the target server is used for storing the cloud SM2 certificate.
In one embodiment, the communication module is specifically configured to:
the generation request information includes the RSA certificate and the bidirectional hypertext transfer security protocol communication request of the local SM2 certificate, and is sent to the target server.
In one embodiment, the apparatus further comprises a transaction request module for:
Receiving a transaction request, generating a collaborative signature request according to a transaction message, and sending the collaborative signature request to the target server; the target server is used for sending a processing passing result to the cloud server after the collaborative signature request is processed;
Receiving a processing passing result sent by the target server, generating a transaction message signature corresponding to the transaction message, and encrypting the transaction message to obtain an encrypted transaction message;
Sending the encrypted transaction message and the transaction message signature to the target server; the target server is used for processing the transaction message after the signature verification of the encrypted transaction message and the transaction message is passed.
A communication device for application to a target server, the device comprising:
The receiving module is used for receiving a certificate application request of which the request information comprises user identity information and is sent by the cloud server, generating corresponding certificate information according to the user identity information and returning the corresponding certificate information to the cloud server; the certificate information comprises a first certificate and a second certificate; the second certificate comprises a local certificate and a cloud certificate; the cloud server is used for storing the first certificate and the local certificate and sending the cloud certificate to the target server;
the storage module is used for receiving and storing the cloud certificate sent by the cloud server;
The verification module is used for obtaining the communication request of the first certificate and the local certificate, which is included in the request information sent by the cloud server, verifying the cloud certificate, the local certificate and the first certificate, and establishing communication connection with the cloud server when verification passes.
In one embodiment, the apparatus further comprises a transaction processing module for:
the collaborative signature request sent by the cloud server is obtained, and after the system signature request is processed through a secure server interface, a processing passing result is sent to the cloud server; the cloud server is used for receiving the processing passing result and sending the encrypted transaction message and the transaction message signature to the target server;
And acquiring the encrypted transaction message and the transaction message signature, decrypting the encrypted transaction message, verifying the decrypted transaction message and the transaction message signature through the security server interface, and processing the transaction message if the verification is passed.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the method described above when the processor executes the computer program.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method described above.
A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method described above.
Compared with the traditional mode of accessing a banking system through physical hardware, the communication method, the device, the computer equipment and the storage medium can realize the following technical effects:
by using the certificate information corresponding to the user identity as a verification basis and dividing the certificate information into a locally stored certificate and a cloud-stored certificate, the theft by others is prevented, and the security of accessing the bank system is improved.
In addition, the embodiment of the scheme initiates the communication request to the target server based on the request information generated by the RSA certificate and the local SM2 certificate, and the target server verifies the communication qualification of the cloud server in a certificate-based verification mode because the certificate information in the cloud server is tightly connected with the user identity information of the cloud server, so that the security of accessing the bank system is improved. And the cloud server can also communicate with the target server in a mode of cooperative signing, encryption and signing, so that the security of accessing the bank system is improved.
Drawings
FIG. 1 is an application environment diagram of a communication method in one embodiment;
FIG. 2 is a flow diagram of a communication method in one embodiment;
FIG. 3 is a flow chart of a communication method according to another embodiment;
FIG. 4 is a flow chart of a communication method in yet another embodiment;
FIG. 5 is a flow diagram of the credential generation steps in one embodiment;
FIG. 6 is a flow chart illustrating the steps of processing a transaction message in one embodiment;
FIG. 7 is a block diagram of a communication device in one embodiment;
FIG. 8 is a block diagram of a communication device in another embodiment;
fig. 9 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application. It should be noted that, in the technical scheme of the application, the acquisition, storage, use, processing and the like of the data all conform to the relevant regulations of national laws and regulations, and the user information (including but not limited to user equipment information, user personal information and the like) and the data (including but not limited to data for display, analyzed data and the like) related by the application are information and data which are authorized by the user or are fully authorized by all parties, and correspondingly, the application also provides a corresponding user authorization entry for the user to select authorization or select rejection.
The communication method provided by the application can be applied to an application environment shown in fig. 1. Wherein the cloud server 102 communicates with the target server 104 via a network. The cloud server 102 may send a certificate application to the target server 104 according to the user identity information corresponding to the cloud server 102, the target server 104 may return corresponding certificate information to the cloud server 102 based on the user identity information, the cloud server 102 may divide the certificate information, one part of the certificate information is stored locally, the other part of the certificate information is stored to the target server 104, the cloud server 102 may also send a communication request to the target server 104 according to the local certificate, and the target server 104 establishes communication connection with the cloud server 102 after the certificate passes verification. The cloud server 102 and the target server 104 may be implemented by a separate server or a server cluster formed by a plurality of servers.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for presentation, analyzed data, etc.) related in the disclosure are both information and data authorized by the user or sufficiently authorized by each party, and the disclosure also provides a corresponding user authorization entry for the user to select authorization or select rejection.
In one embodiment, as shown in fig. 2, a communication method is provided, and the method is applied to the cloud server in fig. 1 for illustration, and includes the following steps:
Step S202, a certificate application request is generated according to user identity information corresponding to a cloud server and sent to a target server, the target server is used for generating and returning certificate information according to the user identity information, the certificate information comprises a first certificate and a second certificate, the second certificate comprises a local certificate and a cloud certificate, and encryption algorithms of the first certificate and the second certificate are different.
The communication method may be a communication method based on a banking system, and the cloud server 102 may be a server disposed at a cloud, for example, an enterprise financial system disposed at a third party public cloud. Since the cloud server 102 is provided in public cloud, it is impossible to connect the cloud server to a banking system by inserting physical hardware. And the cloud server 102 has corresponding user identity information, when the cloud server 102 needs to be connected with the bank system, the cloud server 102 can apply for a request for a certificate corresponding to life and send the value to the target server 104 based on the corresponding user identity information, so that the target server 104 can generate corresponding certificate information according to the user identity information and return the certificate information to the cloud server 102. The public cloud refers to a cloud which can be used and is provided by a third party provider for a user, the public cloud can be generally used through the Internet and can be free or low in cost, and the core attribute of the public cloud is shared resource service. There are many examples of such clouds that can provide services throughout the open public network today. The cloud server 102 may be a service user, for example, an enterprise financial system deployed in a public cloud of a third party directly invokes an interface provided by a bank through the internet to use related financial services, the target server 104 may be a bank server, the bank server may be a server corresponding to the bank system, and the bank system may be a service provider, for example, a bank enterprise direct connection system of a bank provides related financial services for an enterprise through an open interface form. The bank-enterprise direct connection means that the financial system of the enterprise is directly interconnected with the bank system, and the financial system of the enterprise directly uses related financial services by calling an Internet interface issued by the bank.
The digital certificate is a digital certificate for marking the identity information of each party in the internet communication, and people can use the digital certificate to identify the identity of the other party on the internet. The above-described certificate information includes a first certificate and a second certificate, and the second certificate may also be divided into a local certificate and a cloud certificate. The first certificate and the second certificate may be certificates obtained by using different encryption algorithms. For example, in one embodiment, the first certificate is an RSA certificate, the second certificate is an SM2 certificate, the local certificate is a local SM2 certificate, and the cloud certificate is a cloud SM2 certificate. In this embodiment, SM2 is an elliptic curve public key cryptographic algorithm issued by the national cryptographic administration. RSA is an encryption algorithm, and RSA public key cryptosystem is a cryptosystem that uses different encryption keys and decryption keys, and "deriving a decryption key from a known encryption key is computationally infeasible". The SM2 certificate may be split into two parts, one part being a local SM2 certificate local to the presence cloud server 102 and the other part being a cloud SM2 certificate of the presence target server 104.
Step S204, obtaining the certificate information sent by the target server, storing the first certificate and the local certificate, and sending the cloud certificate to the target server, wherein the target server is used for storing the cloud certificate.
The target server 104 may send, to the cloud server 102, credential information generated according to user identity information of the cloud server 102, where the credential information may include a first credential and a second credential, and the second credential may be divided into a local credential and a cloud credential. After the cloud server 102 obtains the certificate information sent by the target server 104, the local certificate part in the first certificate and the second certificate may be stored in the cloud server 102, and the cloud certificate part in the second certificate is sent to the target server 104, and the target server 104 stores the cloud certificate after receiving the cloud certificate.
Wherein, the first certificate may be an RSA certificate, and the second certificate may be an SM2 certificate, and the cloud server 102 may store the two digital certificates obtained according to different encryption algorithms. For example, in one embodiment, obtaining the certificate information sent by the target server, storing the first certificate and the local certificate and sending the cloud certificate to the target server includes obtaining an RSA certificate and an SM2 certificate sent by the target server, storing the RSA certificate and the local SM2 certificate and sending the cloud SM2 certificate to the target server, and the target server is configured to store the cloud SM2 certificate. In this embodiment, the cloud server 102 may obtain the RSA certificate and the SM2 certificate sent by the target server 104, and the cloud server 102 may further divide the SM2 certificate into a local SM2 certificate and a cloud SM2 certificate, where the cloud server 102 may store the RSA certificate and the local SM2 certificate, send the cloud SM2 certificate to the target server 104 for storage, and the target server 104 may store the cloud SM2 certificate after receiving the cloud SM2 certificate. Therefore, the risk of copy stealing of the file certificate used in the bank-enterprise direct connection service can be prevented, because the cloud server 102 stores part of the local signature certificate information in the bank-enterprise direct connection service end, namely the target server 104, and part of the signature certificate is stored in the client to be closely related to the local environment information, and the local signature certificate cannot be used after copying.
And step S206, a communication request is sent to a target server according to the first certificate and the local certificate, and the target server is used for establishing communication connection with the cloud server after the cloud server is verified according to the cloud certificate, the local certificate and the first certificate.
After the cloud server 102 completes the application and storage of the certificate information, communication with the target server 104 may be established based on the certificate information. The cloud server 102 may generate a corresponding communication request based on the local certificate in the first certificate and the second certificate, and send the communication request to the target server 104, where the target server 104 may verify the communication qualification of the cloud server 102 with the local certificate and the first certificate in the received communication request, and establish a communication connection with the cloud server 102 after the verification passes, so as to implement communication between the cloud server 102 on the third party public cloud and the target server 104 of the bank system with security requirements. After the cloud server 102 establishes a communication connection with the target server 104, interaction of transaction messages can be performed.
According to the communication method, through the target server, the user identity information in the request for requesting the certificate sent by the cloud server is generated and returned, the cloud server stores the first certificate in the certificate information sent by the target server and the local certificate in the second certificate, and sends the cloud certificate in the second certificate to the target server for storage, the cloud server sends the communication request to the target server according to the first certificate and the local certificate, and the target server establishes communication connection with the cloud server after the cloud server is verified according to the cloud certificate, the local certificate and the first certificate. Compared with the traditional mode of accessing the banking system through physical hardware, the method and the device have the advantages that the certificate information corresponding to the user identity is used as the verification basis, and the certificate information is divided into the locally stored certificate and the cloud-stored certificate, so that the theft by other people is prevented, and the security of accessing the banking system is improved.
In one embodiment, the sending of the communication request to the target server based on the first certificate and the local certificate includes generating a two-way hypertext transfer security protocol communication request with the request information including the RSA certificate and the local SM2 certificate and sending to the target server.
In this embodiment, the certificate information received by the cloud server 102 includes a first certificate and a second certificate that are generated based on different encryption algorithms, and the cloud server 102 may divide the second certificate into a local certificate and a cloud certificate, and generate a communication request based on the first certificate and the local certificate and send the communication request to the target server 104. Where the first certificate may be an RSA certificate and the second certificate may be an SM2 certificate, cloud server 102 may generate a https (bidirectional hypertext transfer security protocol) communication request that includes the RSA certificate and the local SM2 certificate, and send the communication request to target server 104. The target server 104 may then verify the eligibility of the cloud server 102 based on the respective credentials in the received communication request. For example, the target server 104 may determine whether the cloud server 102 passes the verification by verifying the information of the received certificate.
According to the embodiment, the cloud server 102 initiates a communication request to the target server 104 through the request information generated based on the RSA certificate and the local SM2 certificate, and the target server 104 verifies the communication qualification of the cloud server 102 through the verification mode based on the certificate because the certificate information in the cloud server 102 is tightly connected with the user identity information of the cloud server 102, so that the security of accessing the bank system is improved.
In one embodiment, after the communication request is sent to the target server according to the first certificate and the local certificate, the method further comprises the steps of receiving a transaction request, generating a collaborative signature request according to a transaction message and sending the collaborative signature request to the target server, sending a processing passing result to the cloud server after the collaborative signature request is processed, receiving the processing passing result sent by the target server, generating a transaction message signature corresponding to the transaction message and encrypting the transaction message to obtain an encrypted transaction message, sending the encrypted transaction message and the transaction message signature to the target server, and sending the encrypted transaction message and the transaction message signature verification to the target server, wherein the target server is used for processing the transaction message after the encrypted transaction message and the transaction message signature verification pass.
In this embodiment, after the cloud server 102 establishes communication connection with the target server 104, interaction of the transaction message may be performed. When the cloud server 102 receives the transaction request, a collaborative signature request can be generated according to the transaction message in the transaction request, the collaborative signature request is sent to the target server 104, the target server 104 can process the collaborative signature request, after processing is completed, a processing result is sent to the cloud server 102, after the cloud server 102 receives the processing result sent by the target server 104, a transaction message signature corresponding to the transaction message can be generated, the cloud server 102 can encrypt the transaction message to obtain an encrypted transaction message, for example, the cloud server 102 can encrypt the transaction message through a 3DES algorithm. Among them, 3DES is a generic term for TDEA (TRIPLE DATA Encryption Algorithm ) block ciphers. It is equivalent to applying the DES encryption algorithm three times per data block. The cloud server 102 may send the encrypted transaction message and the transaction message signature to the target server 104 so that the target server 104 may verify the encrypted transaction message and the transaction message signature and process the transaction message after verification passes. For example, the target server 104 may decrypt the encrypted transaction message and verify the decrypted transaction message and the transaction message signature so that the target server 104 may post-process the transaction message's business logic after the verification passes.
Through the embodiment, the cloud server 102 can communicate with the target server 104 through the mode of collaborative signature, encryption and signature, so that the security of accessing the banking system is improved.
In one embodiment, as shown in fig. 3, a communication method is provided, and the method is applied to the terminal in fig. 1 for illustration, and includes the following steps:
Step S302, receiving a certificate application request, which is sent by a cloud server and includes user identity information, of request information, generating corresponding certificate information according to the user identity information and returning the corresponding certificate information to the cloud server, wherein the certificate information includes a first certificate and a second certificate, the second certificate includes a local certificate and a cloud certificate, encryption algorithms of the first certificate and the second certificate are different, and the cloud server is used for storing the first certificate and the local certificate and sending the cloud certificate to a target server.
The cloud server 102 may be a server disposed in a cloud, for example, an enterprise financial system disposed in a third party public cloud. Since the cloud server 102 is provided in public cloud, it is impossible to connect the cloud server to a banking system by inserting physical hardware. And the cloud server 102 has corresponding user identity information, when the cloud server 102 needs to be connected with the bank system, the cloud server 102 can apply for a request for a certificate corresponding to life and send the value to the target server 104 based on the corresponding user identity information, so that the target server 104 can generate corresponding certificate information according to the user identity information and return the certificate information to the cloud server 102. The public cloud refers to a cloud which can be used and is provided by a third party provider for a user, the public cloud can be generally used through the Internet and can be free or low in cost, and the core attribute of the public cloud is shared resource service. There are many examples of such clouds that can provide services throughout the open public network today. The cloud server 102 may be a service user, for example, an enterprise financial system deployed in a public cloud of a third party directly invokes an interface provided by a bank through the internet to use related financial services, and the banking system may be a service provider, for example, a bank enterprise direct connection system of the bank provides related financial services for an enterprise through an open interface form. The bank-enterprise direct connection means that the financial system of the enterprise is directly interconnected with the bank system, and the financial system of the enterprise directly uses related financial services by calling an Internet interface issued by the bank.
The digital certificate is a digital certificate for marking the identity information of each party in the internet communication, and people can use the digital certificate to identify the identity of the other party on the internet. The above-described certificate information includes a first certificate and a second certificate, and the second certificate may also be divided into a local certificate and a cloud certificate. The first certificate and the second certificate may be certificates obtained by using different encryption algorithms. For example, in one embodiment, the first certificate is an RSA certificate, the second certificate is an SM2 certificate, the local certificate is a local SM2 certificate, and the cloud certificate is a cloud SM2 certificate. The SM2 certificate may be split into two parts, one part being a local SM2 certificate local to the presence cloud server 102 and the other part being a cloud SM2 certificate of the presence target server 104.
Step S304, a cloud certificate sent by a cloud server is received and stored.
The target server 104 may send, to the cloud server 102, credential information generated according to user identity information of the cloud server 102, where the credential information may include a first credential and a second credential, and the second credential may be divided into a local credential and a cloud credential. After the cloud server 102 obtains the certificate information sent by the target server 104, the local certificate part in the first certificate and the second certificate may be stored in the cloud server 102, and the cloud certificate part in the second certificate is sent to the target server 104, and the target server 104 stores the cloud certificate after receiving the cloud certificate. Wherein, the first certificate may be an RSA certificate, and the second certificate may be an SM2 certificate, and the cloud server 102 may store the two digital certificates obtained according to different encryption algorithms. For example, the cloud server 102 may store the RSA certificate and the local SM2 certificate and send the cloud SM2 certificate to the target server, which is configured to store the cloud SM2 certificate.
Step S306, the communication request, which is sent by the cloud server and includes the first certificate and the local certificate, is acquired, the cloud certificate, the local certificate and the first certificate are verified, and when the verification passes, communication connection is established with the cloud server.
After the cloud server 102 completes the application and storage of the certificate information, communication with the target server 104 may be established based on the certificate information. The cloud server 102 may generate a corresponding communication request based on the local certificate in the first certificate and the second certificate, and send the communication request to the target server 104, where the target server 104 may verify the communication qualification of the cloud server 102 with the local certificate and the first certificate in the received communication request, and establish a communication connection with the cloud server 102 after the verification passes, so as to implement communication between the cloud server 102 on the third party public cloud and the target server 104 of the bank system with security requirements. After the cloud server 102 establishes a communication connection with the target server 104, interaction of transaction messages can be performed.
According to the communication method, through the target server, the user identity information in the request for requesting the certificate sent by the cloud server is generated and returned, the cloud server stores the first certificate in the certificate information sent by the target server and the local certificate in the second certificate, and sends the cloud certificate in the second certificate to the target server for storage, the cloud server sends the communication request to the target server according to the first certificate and the local certificate, and the target server establishes communication connection with the cloud server after the cloud server is verified according to the cloud certificate, the local certificate and the first certificate. Compared with the traditional mode of accessing the banking system through physical hardware, the method and the device have the advantages that the certificate information corresponding to the user identity is used as the verification basis, and the certificate information is divided into the locally stored certificate and the cloud-stored certificate, so that the theft by other people is prevented, and the security of accessing the banking system is improved.
In one embodiment, after communication connection is established with the cloud server when verification passes, the method further comprises the steps of obtaining a collaborative signature request sent by the cloud server, processing the system signature request through a secure server interface, then sending a processing passing result to the cloud server, receiving the processing passing result by the cloud server, sending an encrypted transaction message and a transaction message signature to a target server, obtaining the encrypted transaction message and the transaction message signature, decrypting the encrypted transaction message, verifying the decrypted transaction message and the transaction message signature through the secure server interface, and processing the transaction message if verification passes.
In this embodiment, after the cloud server 102 establishes communication connection with the target server 104, interaction of the transaction message may be performed. When the cloud server 102 receives the transaction request, a collaborative signature request may be generated according to a transaction message in the transaction request, and the collaborative signature request is sent to the target server 104, and the target server 104 may process the collaborative signature request and send a processing passing result to the cloud server 102 after the processing passes. For example, the target server 104 may invoke the secure server interface to process the collaborative signature and return the result to the cloud server 102, the cloud server 102 may send the encrypted transaction message and the transaction message signature to the target server 104 after receiving the processing pass result, and the target server 104 may verify the encrypted transaction message and the transaction message signature and process the transaction message after verification passes. For example, the target server 104 may decrypt the encrypted transaction message and verify, via the secure server, the decrypted transaction message and the transaction message signature, such that the target server 104 may process the business logic of the transaction message after the verification passes.
With the present embodiment, the target server 104 may determine whether the cloud server 102 qualifies for communication with the target server 104 by invoking the secure server to process the collaborative signature, decrypt the transaction message, and verify the signature, thereby improving security of accessing the banking system.
In one embodiment, as shown in fig. 4, fig. 4 is a flow chart of a communication method in yet another embodiment. The cloud server 102 may be an enterprise financial system deployed on a third party public cloud, that is, a client, and the target server 104 may be a bank enterprise direct connection system in a banking system, that is, a server. The method comprises the following steps that as shown in fig. 4, the method comprises the steps that a client initiates a request to a server to generate a client certificate, the client initiates establishment of a transaction link and the client initiates a transaction message request, and the server responds to the above steps respectively.
The flow of certificate generation is shown in fig. 5, and fig. 5 is a schematic flow diagram of the step of certificate generation in one embodiment. An enterprise financial system deployed in a public cloud initiates a certificate generation request to a bank server. The bank server receives a certificate generation request initiated by the client financial system, calls the certificate system to generate relevant certificate information and returns the relevant certificate information to the client financial system, and binds the certificate information with the client identity. Wherein the client identity information may be derived from the certificate generation request. The enterprise financial system receives the bank processing result, wherein the bank processing result comprises an RSA certificate and an SM2 certificate, the enterprise financial system can store the RSA certificate in the financial system, the SM2 certificate is divided into two parts, one part is stored in the financial system, and the other part is stored in the target server. After the enterprise financial system completes the application and storage of the certificate, a transaction link can be established with the bank-enterprise direct connection application. For example, the enterprise financial system uses the local RSA certificate information to initiate a request for establishing two-way https communication to the bank server, and the bank server verifies the client certificate related information, and if the verification is passed, the connection establishment is successful.
After the client of the enterprise financial system completes the establishment of the transaction link, the client can interact with the service end of the banking system for transaction messages. The interaction flow between the client and the server may be as shown in fig. 6, and fig. 6 is a schematic flow chart of the transaction message processing steps in one embodiment. The server may be in communication connection with a security server, which may be a server for authentication, provided inside the banking system. In the transaction message processing process, a client can firstly initialize a signature of a transaction message, then initiate a collaborative signature request to a server, the server invokes a security server interface to process the collaborative signature and returns the result to the client, after the client obtains the collaborative signature result, the client carries out complete transaction message signature, encrypts the transaction message by using a 3DES algorithm, the client sends the transaction message encryption result and the transaction message signature result to the server, the server decrypts the encryption message result and sends the decryption result and the message signature to the security server to carry out signature verification, when the security server fails to transact, the server returns an error reporting result to the client, if verification passes, the server can continue to process transaction message business logic and return the result to the client, the client receives the transaction message processing result, and the transaction flow is ended.
Through the embodiment, the certificate information corresponding to the user identity is used as the verification basis, the certificate information is divided into the locally stored certificate and the cloud stored certificate, so that the certificate is prevented from being stolen by other people, the security of accessing the bank system is improved, and after a communication link is established, the transaction message can be processed by verifying the signature and other information of the transaction message, so that the bank enterprise direct-connection service can be safely and reliably used on the premise that a third party public cloud financial system does not need to use a physical U shield, the security of accessing the bank system is improved, and the bank financial service is used for protecting and navigating for enterprises.
It should be understood that, although the steps in the flowcharts of fig. 2-6 are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least a portion of the steps of fig. 2-6 may include multiple steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor does the order in which the steps or stages are performed necessarily occur sequentially, but may be performed alternately or alternately with other steps or at least a portion of the steps or stages in other steps.
In one embodiment, a communication system is provided, comprising a cloud server 102 and a target server 104, wherein:
The cloud server is used for generating a certificate application request according to the user identity information corresponding to the cloud server and sending the certificate application request to the target server;
the target server is used for receiving a certificate application request of which the request information comprises user identity information and is sent by the cloud server, generating corresponding certificate information according to the user identity information and returning the corresponding certificate information to the cloud server, wherein the certificate information comprises a first certificate and a second certificate;
the cloud server is used for storing the first certificate and the local certificate and sending the cloud certificate to the target server;
the target server is used for storing the cloud certificate;
The cloud server is used for sending a communication request to the target server according to the first certificate and the local certificate;
And the target server is used for establishing communication connection with the cloud server after the cloud server is verified according to the cloud certificate, the local certificate and the first certificate.
For specific limitations of the communication system, reference may be made to the limitations of the communication method hereinabove, and no further description is given here.
In one embodiment, as shown in FIG. 7, a communication apparatus is provided, comprising an application module 500, an acquisition module 502, and a communication module 504, wherein:
The application module 500 is configured to generate a certificate application request according to user identity information corresponding to the cloud server and send the request to the target server, wherein the target server is configured to generate and return certificate information according to the user identity information, the certificate information includes a first certificate and a second certificate, the second certificate includes a local certificate and a cloud certificate, and encryption algorithms of the first certificate and the second certificate are different.
The obtaining module 502 is configured to obtain the certificate information sent by the target server, store the first certificate and the local certificate, and send the cloud certificate to the target server, where the target server is configured to store the cloud certificate.
The communication module 504 is configured to send a communication request to a target server according to the first certificate and the local certificate, and the target server is configured to establish communication connection with the cloud server after the cloud server is verified according to the cloud certificate, the local certificate and the first certificate.
In one embodiment, the obtaining module 502 is specifically configured to obtain an RSA certificate and an SM2 certificate sent by a target server, store the RSA certificate and a local SM2 certificate, and send a cloud SM2 certificate to the target server, where the target server is configured to store the cloud SM2 certificate.
In one embodiment, the communication module 504 is specifically configured to generate a bidirectional hypertext transfer security protocol communication request with the request information including the RSA certificate and the local SM2 certificate, and send the request to the target server.
In one embodiment, the device further comprises a transaction request module, a target server, a processing passing result, a transaction message signature and an encryption module, wherein the transaction request module is used for receiving a transaction request, generating a collaborative signature request according to a transaction message and sending the collaborative signature request to the target server, the target server is used for processing the collaborative signature request and sending the processing passing result to the cloud server, receiving the processing passing result sent by the target server, generating a transaction message signature corresponding to the transaction message and encrypting the transaction message to obtain an encrypted transaction message, the encryption transaction message and the transaction message signature are sent to the target server, and the target server is used for verifying the encrypted transaction message and the transaction message signature and passing the post-processing transaction message.
In one embodiment, as shown in FIG. 8, a communication device is provided, comprising a receiving module 600, a storage module 602, and a verification module 604, wherein:
The receiving module 600 is configured to receive a request that the request information sent by the cloud server includes a request for a certificate of user identity information, generate corresponding certificate information according to the user identity information, and return the corresponding certificate information to the cloud server, where the certificate information includes a first certificate and a second certificate, the second certificate includes a local certificate and a cloud certificate, the encryption algorithm of the first certificate and the second certificate is different, and the cloud server is configured to store the first certificate and the local certificate and send the cloud certificate to the target server.
The storage module 602 is configured to receive and store the cloud certificate sent by the cloud server.
The verification module 604 is configured to obtain a communication request including the first certificate and the local certificate, where the request information sent by the cloud server includes the first certificate, verify the cloud certificate, the local certificate, and the first certificate, and establish a communication connection with the cloud server when the verification passes.
In one embodiment, the device further comprises a transaction processing module, a cloud server and a secure server interface, wherein the transaction processing module is used for acquiring a collaborative signature request sent by the cloud server, processing the system signature request through the secure server interface and then sending a processing passing result to the cloud server, the cloud server is used for receiving the processing passing result and sending an encrypted transaction message and a transaction message signature to a target server, acquiring the encrypted transaction message and the transaction message signature, decrypting the encrypted transaction message, verifying the decrypted transaction message and the transaction message signature through the secure server interface, and processing the transaction message if verification is passed.
The specific limitations regarding the communication device may be referred to above as limitations regarding the communication method, and will not be described herein. The various modules in the communication device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure thereof may be as shown in fig. 9. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a communication method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by persons skilled in the art that the architecture shown in fig. 9 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, a computer device is provided that includes a memory having a computer program stored therein and a processor that implements the communication method described above when the processor executes the computer program.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, implements the communication method described above.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the above-described communication method.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.

Claims (12)

1. A communication method, applied to a cloud server, the method comprising:
generating a certificate application request according to user identity information corresponding to the cloud server and sending the request to a target server, wherein the target server is used for generating and returning certificate information according to the user identity information;
The method comprises the steps of obtaining certificate information sent by a target server, dividing a second certificate into a local certificate and a cloud certificate, storing the first certificate and the local certificate, and sending the cloud certificate to the target server, wherein the target server is used for storing the cloud certificate, the first certificate is an RSA certificate, the second certificate is an SM2 certificate, the local certificate is a local SM2 certificate, and the cloud certificate is a cloud SM2 certificate;
the method comprises the steps of sending a communication request to a target server according to a first certificate and a local certificate, wherein the communication request comprises the local certificate, the target server is used for establishing communication connection with a cloud server after the cloud server passes verification according to the cloud certificate, the local certificate and the first certificate, and the RSA certificate is used for initiating the communication request for establishing bidirectional hypertext transfer security protocol communication to the target server;
The method comprises the steps of generating a collaborative signature request according to a received transaction request containing a transaction message, sending the collaborative signature request to a target server, receiving a processing passing result sent to a cloud server after the target server processes the collaborative signature request through a secure server interface, generating a transaction message signature corresponding to the transaction message, encrypting the transaction message according to a 3DES algorithm, sending the encrypted transaction message and the transaction message signature to the target server, and processing the transaction message after the target server verifies that the decrypted transaction message and the transaction message signature pass through the secure server interface.
2. The method of claim 1, wherein the obtaining the certificate information sent by the target server, dividing the second certificate into a local certificate and a cloud certificate, storing the first certificate and the local certificate, and sending the cloud certificate to the target server, comprises:
Acquiring an RSA certificate and an SM2 certificate sent by the target server;
Storing the RSA certificate and the local SM2 certificate, and sending the cloud SM2 certificate to the target server, wherein the target server is used for storing the cloud SM2 certificate.
3. The method of claim 2, wherein the sending a communication request to the target server based on the first certificate and the local certificate comprises:
the generation request information includes the RSA certificate and the bidirectional hypertext transfer security protocol communication request of the local SM2 certificate, and is sent to the target server.
4. A method of communication, for application to a target server, the method comprising:
the cloud server is used for dividing the second certificate into a local certificate and a cloud certificate, storing the first certificate and the local certificate and sending the cloud certificate to the target server, wherein the first certificate is an RSA certificate, the second certificate is an SM2 certificate, the local certificate is a local SM2 certificate, and the cloud certificate is a cloud SM2 certificate;
receiving and storing the cloud certificate sent by the cloud server;
the method comprises the steps of obtaining a communication request which is initiated by a cloud server by using an RSA (RSA-based rivest-Shamir-Adleman) certificate and used for establishing two-way hypertext transfer security protocol communication, wherein the request information sent by the cloud server comprises the communication request of the first certificate and the local certificate, and the communication request comprises the local certificate;
the method comprises the steps of processing a collaborative signature request sent by a cloud server through a secure server interface, sending a processing passing result to the cloud server, obtaining an encrypted transaction message and a transaction message signature sent by the cloud server after receiving the processing passing result, verifying the decrypted transaction message and the transaction message signature passing through the secure server interface, and processing the transaction message, wherein the encrypted transaction message is encrypted based on a 3DES algorithm.
5. A communication system, characterized in that the system comprises a cloud server and a target server:
the cloud server is used for generating a certificate application request according to user identity information corresponding to the cloud server and sending the certificate application request to the target server;
The target server is used for receiving a certificate application request of user identity information, which is sent by the cloud server, and generating corresponding certificate information according to the user identity information and returning the corresponding certificate information to the cloud server, wherein the certificate information comprises a first certificate and a second certificate;
The cloud server is used for dividing the second certificate into a local certificate and a cloud certificate, storing the first certificate and the local certificate and sending the cloud certificate to the target server, wherein the first certificate is an RSA certificate, the second certificate is an SM2 certificate, the local certificate is a local SM2 certificate, and the cloud certificate is a cloud SM2 certificate;
the target server is used for storing the cloud certificate;
The cloud server is used for sending a communication request to the target server according to the first certificate and the local certificate, and comprises the steps of initiating a communication request for establishing two-way hypertext transfer security protocol communication to the target server by using the RSA certificate, wherein the communication request comprises the local certificate;
the target server is used for establishing communication connection with the cloud server after the cloud server is verified according to the cloud certificate, the local certificate and the first certificate;
the cloud server is used for generating a collaborative signature request according to the received transaction request containing the transaction message and sending the collaborative signature request to the target server;
The target server is used for processing the processing passing result sent to the cloud server after the collaborative signature request passes through a security server interface;
The cloud server is used for receiving the processing passing result, generating a transaction message signature corresponding to the transaction message, encrypting the transaction message according to a 3DES algorithm, and sending the encrypted transaction message and the transaction message signature to the target server;
and the target server is used for processing the transaction message after verifying the decrypted transaction message and the transaction message signature passes through the security server interface.
6. A communication device for use with a cloud server, the device comprising:
The application module is used for generating a certificate application request according to the user identity information corresponding to the cloud server and sending the request to a target server, wherein the target server is used for generating and returning certificate information according to the user identity information;
The acquisition module is used for acquiring the certificate information sent by the target server, dividing the second certificate into a local certificate and a cloud certificate, storing the first certificate and the local certificate and sending the cloud certificate to the target server, wherein the target server is used for storing the cloud certificate, the first certificate is an RSA certificate, the second certificate is an SM2 certificate, the local certificate is a local SM2 certificate, and the cloud certificate is a cloud SM2 certificate;
The communication module is used for sending a communication request to the target server according to the first certificate and the local certificate, and comprises the steps of initiating a communication request for establishing bidirectional hypertext transfer security protocol communication to the target server by using the RSA certificate, wherein the communication request comprises the local certificate;
The system comprises a cloud server, a target server, a transaction request module, a security server interface, a transaction message signature generation module, a transaction message encryption module and a 3DES algorithm, wherein the transaction request module is used for generating a collaborative signature request according to a received transaction request containing a transaction message and sending the collaborative signature request to the target server, receiving a processing passing result sent to the cloud server after the target server processes the collaborative signature request through the security server interface, generating a transaction message signature corresponding to the transaction message and encrypting the transaction message according to the 3DES algorithm, sending the encrypted transaction message and the transaction message signature to the target server, and the target server is used for verifying the decrypted transaction message through the security server interface and processing the transaction message after the transaction message signature passes.
7. The apparatus of claim 6, wherein the obtaining module is specifically configured to:
Acquiring an RSA certificate and an SM2 certificate sent by the target server;
Storing the RSA certificate and the local SM2 certificate, and sending the cloud SM2 certificate to the target server, wherein the target server is used for storing the cloud SM2 certificate.
8. The apparatus of claim 7, wherein the communication module is specifically configured to:
the generation request information includes the RSA certificate and the bidirectional hypertext transfer security protocol communication request of the local SM2 certificate, and is sent to the target server.
9. A communication device for application to a target server, the device comprising:
The cloud server is used for dividing the second certificate into a local certificate and a cloud certificate, storing the first certificate and the local certificate and sending the cloud certificate to the target server, wherein the first certificate is an RSA certificate, the second certificate is an SM2 certificate, the local certificate is an SM2 certificate, and the cloud certificate is an SM2 cloud certificate;
the storage module is used for receiving and storing the cloud certificate sent by the cloud server;
The verification module is used for obtaining a communication request which is sent by the cloud server and comprises the first certificate and the local certificate, wherein the communication request comprises the local certificate and is initiated by the cloud server by using the RSA certificate and used for establishing two-way hypertext transfer security protocol communication;
The system comprises a cloud server, a secure server interface, a transaction processing module, a cloud server and a 3DES algorithm, wherein the cloud server is used for receiving a cooperative signature request sent by the cloud server, sending a processing passing result to the cloud server through the secure server interface, acquiring an encrypted transaction message and a transaction message signature sent by the cloud server after receiving the processing passing result, verifying the decrypted transaction message and the transaction message signature passing through the secure server interface, and processing the transaction message, and the encrypted transaction message is encrypted based on the 3DES algorithm.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 4 when the computer program is executed.
11. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 4.
12. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method of any of claims 1 to 4.
CN202111492000.4A 2021-12-08 2021-12-08 Communication methods, devices, computer equipment and storage media Active CN114238916B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111492000.4A CN114238916B (en) 2021-12-08 2021-12-08 Communication methods, devices, computer equipment and storage media

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111492000.4A CN114238916B (en) 2021-12-08 2021-12-08 Communication methods, devices, computer equipment and storage media

Publications (2)

Publication Number Publication Date
CN114238916A CN114238916A (en) 2022-03-25
CN114238916B true CN114238916B (en) 2026-03-20

Family

ID=80754046

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111492000.4A Active CN114238916B (en) 2021-12-08 2021-12-08 Communication methods, devices, computer equipment and storage media

Country Status (1)

Country Link
CN (1) CN114238916B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120110686B (en) * 2025-05-08 2025-09-05 北京握奇智能科技有限公司 Certificate processing method, electronic device, and computer-readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103885723A (en) * 2014-03-04 2014-06-25 广东数字证书认证中心有限公司 Digital certificate storage method, digital certificate storage system, digital certificate reading method and digital certificate reading system
CN112766962A (en) * 2021-01-20 2021-05-07 中信银行股份有限公司 Method for receiving and sending certificate, transaction system, storage medium and electronic device

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7904722B2 (en) * 1994-07-19 2011-03-08 Certco, Llc Method for securely using digital signatures in a commercial cryptographic system
CN103036682A (en) * 2012-12-19 2013-04-10 国网信息通信有限公司 Digital certificate system supporting SM2 algorithm
CN105915342A (en) * 2016-07-01 2016-08-31 广州爱九游信息技术有限公司 Application program communication processing system, an application program communication processing device, an application program communication processing apparatus and an application program communication processing method
WO2020014399A1 (en) * 2018-07-10 2020-01-16 Listat Ltd. Decentralized cybersecure privacy network for cloud communication and global e-commerce
CN111917685B (en) * 2019-05-07 2022-05-31 华为云计算技术有限公司 Method for applying for digital certificate
CN110445614B (en) * 2019-07-05 2021-05-25 创新先进技术有限公司 Certificate application method, apparatus, terminal device, gateway device and server
CN111754324B (en) * 2020-06-24 2023-08-22 中国银行股份有限公司 Cloud ERP bank-enterprise docking processing method, system and processing ends
CN112700245B (en) * 2020-12-30 2024-06-21 标信智链(杭州)科技发展有限公司 Digital mobile certificate application method and device based on block chain
CN112651036B (en) * 2020-12-31 2022-05-27 厦门亿力吉奥信息科技有限公司 Identity authentication method based on collaborative signature and computer readable storage medium
CN113676333A (en) * 2021-08-23 2021-11-19 西安邮电大学 A Two-Party Collaboration to Generate SM2 Blind Signatures

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103885723A (en) * 2014-03-04 2014-06-25 广东数字证书认证中心有限公司 Digital certificate storage method, digital certificate storage system, digital certificate reading method and digital certificate reading system
CN112766962A (en) * 2021-01-20 2021-05-07 中信银行股份有限公司 Method for receiving and sending certificate, transaction system, storage medium and electronic device

Also Published As

Publication number Publication date
CN114238916A (en) 2022-03-25

Similar Documents

Publication Publication Date Title
JP7602539B2 (en) Quantum Safe Networking
CN107743133B (en) Mobile terminal and access control method and system based on trusted security environment
US9838205B2 (en) Network authentication method for secure electronic transactions
CN108768633B (en) Method and device for realizing information sharing in block chain
CN114024710A (en) Data transmission method, device, system and equipment
CN109347625B (en) Password operation method, work key creation method, password service platform and equipment
CN114499875B (en) Service data processing method, device, computer equipment and storage medium
CN110942382A (en) Electronic contract generating method and device, computer equipment and storage medium
CN111654367A (en) Cryptographic operation, method for creating work key, cryptographic service platform and device
US11252161B2 (en) Peer identity verification
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
CN114240347A (en) Business service secure docking method and device, computer equipment and storage medium
CN116244750A (en) Secret-related information maintenance method, device, equipment and storage medium
CN117081736A (en) Key distribution method, key distribution device, communication method and communication device
CN114095165B (en) Key updating method, server device, client device and storage medium
CN114553557A (en) Key calling method, key calling device, computer equipment and storage medium
JPH10336172A (en) How to manage public keys for electronic authentication
CN110401535B (en) Digital certificate generation, secure communication and identity authentication method and device
CN110176989B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool
CN108550035A (en) A kind of cross-border network bank business method and cross-border internet banking system
CN108900595B (en) Method, apparatus, device and computing medium for accessing cloud storage server data
CN114238916B (en) Communication methods, devices, computer equipment and storage media
CN107563743B (en) Method and system for improving POS transaction safety
CN115442136A (en) Application system access method and device
CN114221927A (en) Mail encryption service system and method based on national secret algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant