CN118802159A - Authentication and authorization method, device, electronic device, storage medium and product - Google Patents

Authentication and authorization method, device, electronic device, storage medium and product Download PDF

Info

Publication number
CN118802159A
CN118802159A CN202410286332.4A CN202410286332A CN118802159A CN 118802159 A CN118802159 A CN 118802159A CN 202410286332 A CN202410286332 A CN 202410286332A CN 118802159 A CN118802159 A CN 118802159A
Authority
CN
China
Prior art keywords
user
authorized
authorization
authentication
approved
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410286332.4A
Other languages
Chinese (zh)
Other versions
CN118802159B (en
Inventor
王丽
段继康
王鑫
张征
和军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Shanxi Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Shanxi Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Shanxi Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202410286332.4A priority Critical patent/CN118802159B/en
Publication of CN118802159A publication Critical patent/CN118802159A/en
Application granted granted Critical
Publication of CN118802159B publication Critical patent/CN118802159B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to the technical field of network security, and provides an authentication and authorization method, an authentication and authorization device, electronic equipment, a storage medium and a product, wherein the authentication and authorization method comprises the following steps: transmitting an encryption authorization credential to a user to be authorized in response to a resource access request; the encryption authorization credential is generated by encryption operation based on an authority access policy of the user to be approved, a resource access path plaintext and a system public key, and the authority access policy is generated based on an authority attribute of the user to be approved; receiving an encryption authorization credential decryption result sent by a user to be authorized; the encryption authorization credential decryption result is generated by performing decryption operation based on the encryption authorization credential and a user private key of the user to be authorized, and the user private key is generated based on a system master private key and authority attributes of the user to be authorized; and judging whether the user to be authorized obtains the authentication authorization of the user to be approved or not based on the encryption authorization credential decryption result. Through the mode, potential safety hazards can be avoided, and the safety of authentication and authorization is improved.

Description

Authentication and authorization method, device, electronic equipment, storage medium and product
Technical Field
The application relates to the technical field of network security, in particular to an authentication and authorization method, an authentication and authorization device, electronic equipment, a storage medium and a product.
Background
With the development of network technology, many enterprises have deployed OA (Office Automation System ) systems for improving enterprise management efficiency, and security of the OA systems directly affects security of core data of the enterprises. Most of the existing OA systems are deployed in an intranet environment, and a VPN (virtual private network) is adopted between a headquarter and a branch company and between the branch company to carry out OA information approval between the intranets. This scheme is based on the internal network not being hacked and the employee itself not being subject to malicious attack on the network or unauthorized actions.
But more and more security events indicate that with the development of hacking tools and the popularization of OA systems, small-probability internal attack events become necessary events that occur with a high probability. The authentication authorization of the OA system is a security base stone supporting the business approval process, so that a security mechanism for reinforcing the OA authentication authorization is required, the ordered operation of the OA office of an enterprise is ensured, and the unauthorized access of the data in the enterprise is ensured.
In the current OA system, the authentication and authorization method of different users in the business approval process is as follows: user information of different users in the business approval process, such as user names, passwords, authority attributes and the like, are stored in a database of a server side; after uploading the information to be approved, the approver firstly sends the user name and the password to the server, the server compares and verifies the received user name and password with the information in the database, if the user name and the password pass the verification, the authorization authentication of the user (approver) is completed, and the user is allowed to acquire the access resource of the OA system according to the authority attribute of the user to carry out information approval.
However, the existing user name-password verification mechanism is easy to suffer from attacks such as weak password guess and session hijacking in the actual use process, so that the user name and the password are revealed, and further potential safety hazards such as unauthorized access and illegal authorization of the OA system user are easy to occur, so that the existing authentication and authorization method is low in safety and has potential safety hazards.
Disclosure of Invention
The embodiment of the application provides an authentication and authorization method, an authentication and authorization device, electronic equipment, a storage medium and a product, which are used for solving the technical problems that the existing authentication and authorization method is low in safety and has potential safety hazards.
In a first aspect, an embodiment of the present application provides an authentication and authorization method, including: transmitting an encryption authorization credential to a user to be authorized in response to a resource access request; the encryption authorization credential is generated by encryption operation based on an authority access policy of the user to be approved, a resource access path plaintext and a system public key, and the authority access policy is generated based on an authority attribute of the user to be approved; receiving an encryption authorization credential decryption result sent by a user to be authorized; the encryption authorization credential decryption result is generated by performing decryption operation based on the encryption authorization credential and a user private key of the user to be authorized, and the user private key is generated based on a system master private key and authority attributes of the user to be authorized; and judging whether the user to be authorized obtains the authentication authorization of the user to be approved or not based on the encryption authorization credential decryption result.
In one embodiment, the encrypted authorization credential decrypts the result as an access path; based on the encryption authorization credential decryption result, judging whether the user to be authorized obtains the authentication authorization of the user to be approved, including: verifying whether the access path is identical with the plaintext of the resource access path; if the access path is the same as the plaintext of the resource access path, determining that the user to be authorized obtains the authentication authorization of the user to be approved; acquiring an access resource corresponding to a resource access path plaintext; and sending the access resource to the user to be authorized.
In one embodiment, the encrypted authorization credential decrypts the result as an access path; based on the encryption authorization credential decryption result, judging whether the user to be authorized obtains the authentication authorization of the user to be approved, including: verifying whether the access path is identical with the plaintext of the resource access path; if the access path is different from the plaintext of the resource access path, determining that the user to be authorized does not acquire the authentication authorization of the user to be approved; and refusing to send the access resource corresponding to the resource access path plaintext to the user to be authorized.
In one embodiment, before sending the encrypted authorization credential to the user to be authorized in response to the resource access request, further comprises: transmitting an authorization credential uploading message to a user to be approved; receiving an encryption authorization credential, an authority access policy, a public key certificate and an attribute certificate sent by a user to be approved; storing the encrypted authorization credential, the rights access policy, the public key certificate and the attribute certificate to a database; and associating the encrypted authorization credential, the authority access policy, the public key certificate and the attribute certificate with the user information of the user to be approved in the database.
In one embodiment, before sending the encrypted authorization credential to the user to be authorized in response to the resource access request, further comprises: receiving a user name, a password, a public key certificate and an attribute certificate sent by a user to be authorized; judging whether the user to be authorized is a legal user or not based on the user name, the password, the public key certificate and the attribute certificate; and if the user to be authorized is not a legal user, rejecting the resource access request of the user to be authorized.
In one embodiment, the access resource includes information to be approved, and the user to be authorized is an approver corresponding to the information to be approved; after sending the access resource to the user to be authorized, the method further comprises: receiving an approval result of the information to be approved, which is sent by the user to be authorized; if the approval result is that the approval passes, updating the approval result to a database; determining a new user to be authorized; and sending an approval notification message to the new user to be authorized so that the new user to be authorized generates a new resource access request according to the approval notification message.
In a second aspect, an embodiment of the present application provides an authentication and authorization apparatus, including: the sending module is used for responding to the resource access request and sending an encryption authorization credential to the user to be authorized; the encryption authorization credential is generated by encryption operation based on an authority access policy of the user to be approved, a resource access path plaintext and a system public key, and the authority access policy is generated based on an authority attribute of the user to be approved; the receiving module is used for receiving the encryption authorization credential decryption result sent by the user to be authorized; the encryption authorization credential decryption result is generated by performing decryption operation based on the encryption authorization credential and a user private key of the user to be authorized, and the user private key is generated based on a system master private key and authority attributes of the user to be authorized; the judging module is used for judging whether the user to be authorized obtains the authentication authorization of the user to be approved or not based on the encryption authorization credential decryption result.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements any one of the authentication and authorization methods described above when executing the program.
In a fourth aspect, embodiments of the present application provide a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method of authentication authorization as described in any of the above.
In a fifth aspect, embodiments of the present application provide a computer program product comprising a computer program which, when executed by a processor, implements an authentication and authorization method as described in any one of the above.
The authentication and authorization method, the authentication and authorization device, the electronic equipment, the storage medium and the product provided by the embodiment of the application respond to a resource access request and send an encryption and authorization credential to a user to be authorized; the encryption authorization credential is generated by encryption operation based on an authority access policy of the user to be approved, a resource access path plaintext and a system public key, and the authority access policy is generated based on an authority attribute of the user to be approved; receiving an encryption authorization credential decryption result sent by a user to be authorized; the encryption authorization credential decryption result is generated by performing decryption operation based on the encryption authorization credential and a user private key of the user to be authorized, and the user private key is generated based on a system master private key and authority attributes of the user to be authorized; and judging whether the user to be authorized obtains the authentication authorization of the user to be approved or not based on the encryption authorization credential decryption result. By the method, the encryption authorization credential is generated based on encryption operation, decryption can be performed only when the user to be authorized has the correct user private key, so that even if the user to be authorized is attacked by weak password guess, session hijacking and the like, an attacker can not decrypt and obtain the correct decryption result of the encryption authorization credential due to the lack of the correct user private key, authentication and authorization can not be obtained, thereby avoiding potential safety hazards of unauthorized access, illegal authorization and the like of an OA system user and improving the security of authentication and authorization.
Drawings
In order to more clearly illustrate the application or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the application, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an authentication and authorization method according to an embodiment of the present application;
FIG. 2 is an exemplary diagram of a rights access policy provided by an embodiment of the present application;
FIG. 3 is a second flowchart of an authentication and authorization method according to an embodiment of the present application;
Fig. 4 is a schematic structural diagram of an authentication and authorization device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1, fig. 1 is a flow chart of an authentication and authorization method according to an embodiment of the application. In this embodiment, the authentication and authorization method is applied to the server, and is applicable to a scenario where a user accesses the OA system through a browser, and the authentication and authorization method specifically includes steps S110 to S130, where each step specifically includes:
S110: transmitting an encryption authorization credential to a user to be authorized in response to a resource access request; the encryption authorization credential is generated by performing encryption operation based on a right access policy of the user to be approved, a resource access path plaintext and a system public key, and the right access policy is generated based on a right attribute of the user to be approved.
In the scenario that the user accesses the OA system through the browser, the server side may serve as a middleware to provide user authentication and user authorization services, and the server side may integrate the OA function in a Web application (browser) constructed based on JAVA language.
Specifically, after the user to be approved uploads the information to be approved to the server, the encryption authorization credential is also required to be uploaded; the encryption authorization credential is generated by performing encryption operation based on an authority access policy of the user to be approved, a resource access path plaintext and a system public key, and the authority access policy is generated based on an authority attribute of the user to be approved.
The approval personnel can only carry out approval processing of the to-be-approved information after the approval personnel obtain the authentication authorization, so that after the to-be-approved user uploads the to-be-approved information to the server, the approval personnel serve as the to-be-authorized user and send a resource access request to the server to request to acquire access resources of the OA system, and the to-be-approved information is subjected to approval processing.
Further, in response to the resource access request, the server side sends the encrypted authorization credential to the user to be authorized.
S120: receiving an encryption authorization credential decryption result sent by a user to be authorized; the encryption authorization credential decryption result is generated by performing decryption operation based on the encryption authorization credential and a user private key of the user to be authorized, and the user private key is generated based on a system master private key and authority attributes of the user to be authorized.
After the authorized user (i.e. the approver) receives the encrypted authorization credential sent by the server, the encrypted authorization credential can be decrypted by using the private key of the authorized user.
Specifically, a user private key of the user to be authorized is generated based on a system main private key and authority attributes of the user to be authorized, and the generated user private key is used for carrying out decryption operation on the encryption authorization credential to obtain a decryption result of the encryption authorization credential.
Further, the user to be authorized sends an encryption authorization credential decryption result to the server, and after the server receives the encryption authorization credential decryption result sent by the user to be authorized, the server can judge whether the user to be authorized obtains the authentication authorization of the user to be approved according to the encryption authorization credential decryption result, namely, judge whether the user to be authorized can have authority to access and approve the information to be approved, which is uploaded by the user to be approved.
S130: and judging whether the user to be authorized obtains the authentication authorization of the user to be approved or not based on the encryption authorization credential decryption result.
It should be noted that, in this embodiment, the authentication and authorization process is implemented based on a fine-grained authority attribute authentication and authorization cryptographic algorithm.
The principle of authority attribute authentication authorization cryptographic algorithm based on fine granularity is as follows:
(1) The algorithm generates and outputs a system public key PK and a system master private key MK based on an implicit security parameter, typically a random number.
(2) Encrypt (PK, M, a) →ct: the user can generate and output a ciphertext CT encrypted by the plaintext M based on a system public key PK, a plaintext M and an access structure (namely a permission access policy) A based on the permission attribute, the ciphertext CT can be correctly decrypted only when the permission attribute S owned by the user to be authorized meets the permission access policy A, the permission access policy A is generated based on the permission attribute of the user, and the ciphertext CT can be used as an encryption authorization credential.
(3) KeyGen (MK, PK, S) →sk: the user to be authorized generates and outputs a user private key SK of the user to be authorized based on a system main private key MK and an authority attribute S of the user to be authorized.
(4) Decrypt (PK, CT, SK) →m: the user to be authorized can decrypt the ciphertext CT based on the system public key PK and the user private key SK, and if S meets A (namely the authority attribute S owned by the user to be authorized meets the authority access strategy A), the user to be authorized can correctly decrypt the ciphertext and output the plaintext M.
The authority attribute of the user to be authorized is introduced in the encryption operation of the authorization credential, and the authority attribute of the user to be authorized is introduced in the decryption of the encryption authorization credential, so that the authority judgment can be carried out in the process of the encryption operation and the decryption operation, and whether the user to be authorized has the access authority is judged.
Based on the principle, the ciphertext can be correctly decrypted only when the authority attribute of the user to be authorized meets the authority access policy; if the authority attribute of the user to be authorized does not meet the authority access strategy, the user cannot be decrypted to obtain a correct plaintext, so that whether the user to be authorized obtains the authentication authorization of the user can be judged according to the decryption result.
Specifically, after receiving the encryption authorization credential decryption result sent by the user to be authorized, the server side may determine whether the user to be authorized obtains the authentication authorization of the user to be approved based on the encryption authorization credential decryption result.
If the user to be authorized can correctly decrypt the plaintext of the resource access path, the user to be authorized is determined to obtain the authentication authorization of the user to be authorized.
If the user to be authorized cannot decrypt the plaintext of the resource access path correctly, determining that the user to be authorized does not obtain the authentication authorization of the user to be authorized.
The embodiment of the application is not remained in a simple user name-password verification mechanism, the design of authority attribute is added in the password algorithm, the security intensity of private information of the user is improved, and an attacker cannot effectively guess the session information in the authentication and authorization process.
According to the authentication and authorization method provided by the embodiment of the application, an encryption and authorization credential is sent to a user to be authorized in response to a resource access request; the encryption authorization credential is generated by encryption operation based on an authority access policy of the user to be approved, a resource access path plaintext and a system public key, and the authority access policy is generated based on an authority attribute of the user to be approved; receiving an encryption authorization credential decryption result sent by a user to be authorized; the encryption authorization credential decryption result is generated by performing decryption operation based on the encryption authorization credential and a user private key of the user to be authorized, and the user private key is generated based on a system master private key and authority attributes of the user to be authorized; and judging whether the user to be authorized obtains the authentication authorization of the user to be approved or not based on the encryption authorization credential decryption result. By the method, the encryption authorization credential is generated based on encryption operation, decryption can be performed only when the user to be authorized has the correct user private key, so that even if the user to be authorized is attacked by weak password guess, session hijacking and the like, an attacker can not decrypt and obtain the correct decryption result of the encryption authorization credential due to the lack of the correct user private key, authentication and authorization can not be obtained, thereby avoiding potential safety hazards of unauthorized access, illegal authorization and the like of an OA system user and improving the security of authentication and authorization.
In some embodiments, the encrypted authorization credential decrypts the result as an access path.
Specifically, the encryption authorization credential is generated by performing encryption operation based on the authority access policy, the resource access path plaintext and the system public key of the user to be approved, and the user to be authorized performs decryption operation on the encryption authorization credential based on the user private key, so that an access path can be obtained by decryption.
Understandably, if the authority attribute of the user to be authorized meets the authority access policy, the access path obtained by decryption is the same as the plaintext of the resource access path; if the authority attribute of the user to be authorized does not meet the authority access strategy, the access path obtained by decryption is different from the plaintext of the resource access path.
Based on the encryption authorization credential decryption result, judging whether the user to be authorized obtains the authentication authorization of the user to be approved, including: verifying whether the access path is identical with the plaintext of the resource access path; if the access path is the same as the plaintext of the resource access path, determining that the user to be authorized obtains the authentication authorization of the user to be approved; acquiring an access resource corresponding to a resource access path plaintext; and sending the access resource to the user to be authorized.
Specifically, after receiving the access path decrypted by the user to be authorized, the server can perform jump address verification to verify whether the access path is identical to the plaintext of the resource access path.
If the access path and the resource access path plaintext obtained by decryption of the user to be authorized can be jumped to the same webpage, the access path and the resource access path plaintext are the same.
If the access path obtained by decryption of the user to be authorized and the plaintext of the resource access path cannot be jumped to the same webpage, the access path and the plaintext of the resource access path are different.
Further, if the access path is the same as the plaintext of the resource access path, determining that the user to be authorized obtains the authentication authorization of the user to be approved.
Further, the server side executes related resource access operation, acquires access resources corresponding to the plaintext of the resource access path, sends the access resources to the browser of the user to be authorized, displays the access resources through the browser, and allows the user to be authorized to conduct approval processing of the information to be approved on the browser.
In some embodiments, the encrypted authorization credential decrypts the result as an access path.
Based on the encryption authorization credential decryption result, judging whether the user to be authorized obtains the authentication authorization of the user to be approved, including: verifying whether the access path is identical with the plaintext of the resource access path; if the access path is different from the plaintext of the resource access path, determining that the user to be authorized does not acquire the authentication authorization of the user to be approved; and refusing to send the access resource corresponding to the resource access path plaintext to the user to be authorized.
Specifically, if the access path is different from the plaintext of the resource access path, determining that the user to be authorized does not obtain the authentication authorization of the user to be approved; and refusing to send the access resource corresponding to the resource access path plaintext to the user to be authorized.
Optionally, if the user to be authorized does not obtain the authentication authorization of the user to be approved, the method can jump to other web pages, such as a main interface or an error information prompt interface of the OA system.
In some embodiments, before sending the encrypted authorization credential to the user to be authorized in response to the resource access request, further comprising: transmitting an authorization credential uploading message to a user to be approved; receiving an encryption authorization credential, an authority access policy, a public key certificate and an attribute certificate sent by a user to be approved; storing the encrypted authorization credential, the rights access policy, the public key certificate and the attribute certificate to a database; and associating the encrypted authorization credential, the authority access policy, the public key certificate and the attribute certificate with the user information of the user to be approved in the database.
It will be appreciated that in response to a resource access request, the pending user needs to upload the encrypted authorization credential to the server side before sending the encrypted authorization credential to the pending user.
The embodiment is suitable for a scene that a user accesses an OA system through a browser, and a user to be approved can upload encryption authorization credentials through the browser, and the specific process is as follows:
(1) Initializing a browser, acquiring a public key certificate, and generating an encryption authorization credential on the browser.
Public key certificates (system public keys) can be issued by third-party CA (CERTIFICATE AUTHORITY ) institutions in a specific commercial deployment process, can be issued by an internal CA server of a company in a unified manner, can be generated by a user client in a simpler network, and a specific scheme is based on certain trade-off and compromise of economy and security.
It should be noted that, the public key certificate includes a public part and a private part, and the private part and the public part of the public key certificate are issued to the corresponding user before the system is deployed; wherein the public part can be issued to each user later in the system deployment.
The process of initializing the browser mainly performs partial calculation on js code downloaded from the Web (world wide Web) in the Web page loading stage, including operations such as a user specifying a local public key certificate and an attribute certificate.
In addition, in the authorization process, the user can also directly transmit the attribute certificate generated by the browser to the server side through the network in the form of BASE64 codes, and then transmit the attribute certificate to other authorized users through the server side.
The embodiment of the application is not remained in a simple user name-password verification mechanism, increases the design of a public key certificate and an attribute certificate, improves the security strength of private information of a user, and ensures that an attacker cannot effectively guess session information in the identity authentication process.
(2) And initializing OA service, and uploading the encrypted authorization certificate to a server side.
Specifically, after initializing the OA service by the browser, the administrator may configure an authorization credential upload message at the server side, and send the authorization credential upload message to the user to complete binding of the related authorization credential information and the user information at the server side.
After receiving the authorization credential uploading message, the pending batch user sends an encrypted authorization credential, an authorization access policy, a public key certificate and an attribute certificate to a server side; after receiving the encryption authorization credential, the authority access policy, the public key certificate and the attribute certificate sent by the user to be approved, the server stores the encryption authorization credential, the authority access policy, the public key certificate and the attribute certificate into a database, associates the encryption authorization credential, the authority access policy, the public key certificate and the attribute certificate with the user information of the user to be approved in the database, and completes the binding of the authorization credential information and the user information.
Specifically, after the server receives the encrypted authorization credential, the authority access policy, the public key certificate and the attribute certificate sent by the user to be approved, the server can update the received information to the database based on the security domain Realm mechanism, and provide a verification mechanism for the authentication authorization with the subsequent fine granularity.
Optionally, the information (such as user name, password, role, authority attribute, etc.) received by the server may be encapsulated in a principal class, and the corresponding checking module is invoked to complete extraction and verification of the user binding information in the user login process, so as to construct an identity authentication process and an authorization process.
Optionally, the rights access policies are stored in a tree structure at the server side, thereby completing deployment of the rights access policy tree at the server side.
Optionally, the rights access policy is generated by performing encryption operation based on an attribute certificate master key of the user to be approved, so that a server administrator is prevented from privately tampering with the authorization structure, and the administrator is prevented from acquiring related information through collusion attack.
Specifically, in this embodiment, the process of generating the encrypted authorization credential by the pending user is as follows:
(1) Based on bilinear operations, a system public key PK and a system master private key MK are generated and output.
The principle of bilinear mapping operation is: defining a bilinear mapping pair e, G 1×G1→G2, where G 1、G2 is a cyclic group, for R, S ε G 1,Property e (R a,Sb)=e(R,S)ab) is satisfied.
(2) The user to be approved can generate and output ciphertext based on the system public key PK, the authority access strategy and the resource access path plaintext, and the authority access strategy is generated based on the authority attribute of the user to be approved.
In the Web application, the access rights information of the user is stored in a user session structure body at the server side, a useful password mechanism is needed for the session impersonation displacement behavior to avoid the situation, and rights access control is realized by combining shiro filters and a rights attribute-based access structure in the shiro dynamic session.
In this embodiment, the fine-grained authority attribute of the pending user may be defined as: p= { P 1,P1,...,Pn }, P represents the attribute set.
P has the following properties: aggregationAggregation
Having monotonicity, e.g. provided withIf B is E A, the step of setting the position of the base plate to be equal to B,C e a.
The rights access policy (i.e., access structure based on rights attributes) may be generated based on the fine-grained rights attributes of the pending users and stored in a tree structure.
Referring to fig. 2, fig. 2 is an exemplary diagram of a rights access policy provided in an embodiment of the present application. As shown in fig. 2, it is assumed that in the OA file approval scenario, an activity initiator (user to be approved) formulates an authority access policy according to the role authority attribute required by the approval process.
Assuming that the user to be approved is an uploading person of the financial report, the approval process requires that the user approving the financial report uploaded by the user to be approved has a department manager attribute or a total manager attribute, and also requires that the user has a management financial attribute, and the authority access strategy tree is shown in fig. 2.
Optionally, a lagrangian coefficient is defined: Wherein the method comprises the steps of S is of the typeAll attribute sets are U, for each attribute i ε U, fromA number t i is randomly and uniformly distributed in the whole system, and finallyAnd uniformly selecting y. The system public key PK is noted asThe system master private key MK is noted mk=t 1,...,t|U|, y. Encryption information (namely resource access path plaintext) m epsilon G 2, ciphertext corresponding attribute set is gamma, and random value is selectedGenerating ciphertext
It should be noted that, in the attribute encryption process, a key corresponding to the polynomial coefficient may be generated, and the decryption process of the user to be authorized may be understood as calculating the polynomial q r (0) =y from the root node r of the rights access policy tree, where the remaining internal nodes of the rights access policy tree need the polynomial to satisfy q x(0)=qparent(x) (index (x)). The authority attribute of the authority access strategy tree record can be extracted from the leaf node, which isI=att (x), the set of secret values is the decryption key.
Specifically, in this embodiment, the process of decrypting the encrypted authorization credential by the user to be authorized is as follows:
When a user to be authorized performs resource access and business flow state approval operation, the browser can decrypt the encrypted authorization credential, and the decryption process is a recursive process and can be defined as:
The above procedure is a decryption procedure for leaf nodes, and for non-leaf nodes, all nodes of the rights access policy tree x are denoted as z, and then there is F z=DecrypNodez, where the decryption procedure for all leaf nodes can be expressed as:
When the authority attribute of the user to be authorized meets the authority access strategy, the function on the root is called to calculate e (g, g) ys=Ys, and further calculate The decryption results in a resource access path plaintext M.
In some embodiments, before sending the encrypted authorization credential to the user to be authorized in response to the resource access request, further comprising: receiving a user name, a password, a public key certificate and an attribute certificate sent by a user to be authorized; judging whether the user to be authorized is a legal user or not based on the user name, the password, the public key certificate and the attribute certificate; and if the user to be authorized is not a legal user, rejecting the resource access request of the user to be authorized.
It will be appreciated that before sending the encrypted authorization credentials to the user to be authorized in response to a resource access request, the perpetual identity of the user to be authorized needs to be verified to determine if it is a legitimate user of the OA system.
Specifically, a user name, a password, a public key certificate and an attribute certificate sent by a user to be authorized are received.
Further, based on the user name, the password, the public key certificate and the attribute certificate, query verification is carried out in the database, and whether the user to be authorized is a legal user or not is judged.
If the user name, the password, the public key certificate and the attribute certificate of the user to be authorized do not exist in the database, the user to be authorized is determined not to be a legal user, and the resource access request of the user to be authorized is refused.
The existing Shiro technology provides a user name-password mechanism by default at a browser end to finish the verification of the user identity, and the authentication authorization method provided by the embodiment of the application can improve the safety and reliability of the identity authentication by combining the user name, the password, the public key certificate and the attribute certificate to perform the identity authentication on the basis of the existing user name-password mechanism.
In some embodiments, the access resource includes information to be approved, and the user to be authorized is an approver corresponding to the information to be approved.
After sending the access resource to the user to be authorized, the method further comprises: receiving an approval result of the information to be approved, which is sent by the user to be authorized; if the approval result is that the approval passes, updating the approval result to a database; determining a new user to be authorized; and sending an approval notification message to the new user to be authorized so that the new user to be authorized generates a new resource access request according to the approval notification message.
Specifically, after the access resource is sent to the user to be authorized, the user to be authorized can check specific information of the business process, and approve the information to be approved, and the approval result comprises approval passing and rejection.
Further, the user to be authorized sends the approval result of the information to be approved to the server side.
If the approval result is refused, the server side updates the approval result to the database and terminates the next step of the current flow.
If the approval result is that the approval passes, the server side updates the approval result to the database.
Further, the server side can determine a new user to be authorized, namely the next approver, based on a preset business approval process; and sending an approval notification message to the new user to be authorized through the registered processing function, so that the new user to be authorized generates a new resource access request according to the approval notification message until the business process is terminated.
The embodiment of the application also provides a specific example of the authentication and authorization method. Referring to fig. 3, fig. 3 is a second flowchart of an authentication and authorization method according to an embodiment of the application.
Specifically, an OA approval system application is quickly built by adopting a flow engine before authentication and authorization. The OA approval system application is constructed as follows:
s101: under the system initialization configuration condition, a user public key certificate is constructed in a related software and hardware environment conforming to the standard public key infrastructure PKI.
Public key certificates can be configured on both the user browser side and the server side.
The method comprises the steps of constructing a public key-based user identity and credential by utilizing an existing Shiro framework, providing a basic identity security information authentication environment for user login verification and online session maintenance, designing five relationship tables of user information, user roles, authority information, user role relationships and role authority relationships in a database structure, and providing data storage support for public key authentication.
S102: defining a security data source based on a Realm mechanism, and driving the JVM to verify the identity information of the user by relying on a security manager.
The specific operation class is realized through integrating the Realm interface, the attribute authority verification mechanism is constructed, the authorization operation is completed in the attribute authority encryption process, the authentication operation is completed in the attribute authority decryption process, and the corresponding operation is realized in the two security management classes in the pairing mode.
S103: the Web is converged to start the engine, and the real is registered in combination with the specific engine.
And setting a filter for the resource access path jump after the engine is started, and determining whether the access request of the webpage resource is executed or not through the requirements given by the authorized and authenticated security domain.
Optionally, all web page resources are classified together and may be subdivided into authentication filters and authorization filters.
Optionally, authentication filters may be specifically classified into anonymous, online, user, browser body, and the like.
Optionally, the authorization filter may be specifically classified into authority filtering, role filtering, secure socket, rest, port, and the like.
S104: and (3) configuring safety parameters, namely setting a safety algorithm and a parameter specification adopted by a safety domain.
And determining the type and the password length setting adopted by the encryption algorithm according to the running efficiency and the security of the OA system.
Optionally, the encryption algorithm comprises six algorithms of symmetric encryption, public key encryption, attribute authority encryption, digest algorithm and pseudo-random security algorithm.
S105: and constructing a business approval process by adopting an injection technology.
Specifically, the sponsor of the approval event is determined by designing the user approval event, the state setting and the condition judgment of the approval event in the business process are added, and the basic service support is provided for the business approval process by combining strategy judgment. Meanwhile, the authority attribute which needs to be set and granted in the process of user initiation approval is designed.
After the preparation is completed, the authentication and authorization algorithm of the embodiment of the application can be used for verification.
As shown in fig. 3, the pending user first performs client (browser) initialization and OA service initialization.
Further, the user to be approved generates an encryption authorization credential at the client side, and sends the encryption authorization credential, the authority access policy, the public key certificate and the attribute certificate to the server side.
Further, the server side stores the received encryption authorization credentials, the authority access policies, the public key certificates and the attribute certificates into a database through a security domain Realm mechanism, associates the encryption authorization credentials, the authority access policies, the public key certificates and the attribute certificates with user information of users to be approved in the database, and completes binding of the authorization credential information and the user information.
Further, the user to be authorized sends a resource access request to the server; the server side responds to the resource access request and sends an encryption authorization credential to a user to be authorized; the user to be authorized carries out decryption operation on the received encryption authorization credential to obtain an encryption authorization credential decryption result, and sends the encryption authorization credential decryption result to the server side; the server side receives an encryption authorization credential decryption result sent by the user to be authorized and judges whether the user to be authorized obtains authentication authorization of the user to be approved or not based on the encryption authorization credential decryption result.
The decryption result of the encryption authorization credential is an access path.
Specifically, if the access path is the same as the plaintext of the resource access path, determining that the user to be authorized obtains the authentication authorization of the user to be approved; acquiring an access resource corresponding to a resource access path plaintext; and sending the access resource to a browser of the user to be authorized, wherein the user to be authorized can display the access resource through the browser, and allows the user to be authorized to carry out approval processing of the information to be approved on the browser.
Specifically, after the access resource is sent to the user to be authorized, the user to be authorized can check specific information of the business process, and conduct business process approval on the information to be approved, wherein approval results comprise approval passing and rejection.
Further, if the approval result is that the approval passes, the server side updates the approval result to the database, and the server side can determine a new user to be authorized, namely the next approver, based on a preset business approval process; and sending approval notification information to the new user to be authorized through the registered processing function, so that the new user to be authorized generates a new resource access request according to the approval notification information, and continuing authentication and authorization until the business process jump is terminated.
The embodiment of the application also provides an authentication and authorization device. Referring to fig. 4, fig. 4 is a schematic structural diagram of an authentication and authorization apparatus according to an embodiment of the present application, where in the embodiment, the authentication and authorization apparatus includes a sending module 410, a receiving module 420, and a judging module 430.
A sending module 410, configured to send an encrypted authorization credential to a user to be authorized in response to a resource access request; the encryption authorization credential is generated by performing encryption operation based on a right access policy of the user to be approved, a resource access path plaintext and a system public key, and the right access policy is generated based on a right attribute of the user to be approved.
The receiving module 420 is configured to receive a decryption result of the encrypted authorization credential sent by the user to be authorized; the encryption authorization credential decryption result is generated by performing decryption operation based on the encryption authorization credential and a user private key of the user to be authorized, and the user private key is generated based on a system master private key and authority attributes of the user to be authorized.
And the judging module 430 is configured to judge whether the user to be authorized obtains the authentication authorization of the user to be approved based on the decryption result of the encryption authorization credential.
In some embodiments, the encrypted authorization credential decrypts the result as an access path.
A judging module 430, configured to verify whether the access path is identical to the plaintext of the resource access path; if the access path is the same as the plaintext of the resource access path, determining that the user to be authorized obtains the authentication authorization of the user to be approved; acquiring an access resource corresponding to a resource access path plaintext; and sending the access resource to the user to be authorized.
In some embodiments, the encrypted authorization credential decrypts the result as an access path.
A judging module 430, configured to verify whether the access path is identical to the plaintext of the resource access path; if the access path is different from the plaintext of the resource access path, determining that the user to be authorized does not acquire the authentication authorization of the user to be approved; and refusing to send the access resource corresponding to the resource access path plaintext to the user to be authorized.
In some embodiments, the sending module 410 is configured to send an authorization credential upload message to the pending user.
A receiving module 420, configured to receive an encrypted authorization credential, an authority access policy, a public key certificate and an attribute certificate sent by a user to be approved; storing the encrypted authorization credential, the rights access policy, the public key certificate and the attribute certificate to a database; and associating the encrypted authorization credential, the authority access policy, the public key certificate and the attribute certificate with the user information of the user to be approved in the database.
In some embodiments, the receiving module 420 is configured to receive a user name, a password, a public key certificate, and an attribute certificate sent by a user to be authorized; judging whether the user to be authorized is a legal user or not based on the user name, the password, the public key certificate and the attribute certificate; and if the user to be authorized is not a legal user, rejecting the resource access request of the user to be authorized.
In some embodiments, the access resource includes information to be approved, and the user to be authorized is an approver corresponding to the information to be approved.
A receiving module 420, configured to receive an approval result of the to-be-approved information sent by the to-be-authorized user; if the approval result is that the approval passes, updating the approval result to a database; determining a new user to be authorized; and sending an approval notification message to the new user to be authorized so that the new user to be authorized generates a new resource access request according to the approval notification message.
The embodiment of the application also provides an electronic device, and fig. 5 is a schematic structural diagram of the electronic device provided by the embodiment of the application, as shown in fig. 5, the electronic device may include: processor 510, communication interface (Communications Interface) 520, memory 530, and communication bus 540, wherein processor 510, communication interface 520, memory 530 complete communication with each other through communication bus 540. Processor 510 may invoke logic instructions in memory 530 to perform the authentication authorization method.
Further, the logic instructions in the memory 530 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The embodiments of the present application also provide a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the authentication and authorization method provided by the above methods.
Embodiments of the present application also provide a computer program product comprising a computer program which, when executed by a processor, implements an authentication and authorization method as described in any of the above.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (10)

1. An authentication and authorization method, comprising:
Transmitting an encryption authorization credential to a user to be authorized in response to a resource access request; the encryption authorization credential is generated by encryption operation based on an authority access policy of a user to be approved, a resource access path plaintext and a system public key, and the authority access policy is generated based on an authority attribute of the user to be approved;
Receiving an encryption authorization credential decryption result sent by the user to be authorized; the encryption authorization credential decryption result is generated by performing decryption operation based on the encryption authorization credential and a user private key of the user to be authorized, wherein the user private key is generated based on a system main private key and authority attributes of the user to be authorized;
And judging whether the user to be authorized obtains the authentication authorization of the user to be approved or not based on the encryption authorization credential decryption result.
2. The authentication and authorization method according to claim 1, wherein the encrypted authorization credential decryption result is an access path;
the step of judging whether the user to be authorized obtains the authentication authorization of the user to be approved based on the encryption authorization credential decryption result comprises the following steps:
verifying whether the access path is identical to the plaintext of the resource access path;
If the access path is the same as the resource access path plaintext, determining that the user to be authorized obtains the authentication authorization of the user to be approved;
Acquiring access resources corresponding to the resource access path plaintext;
and sending the access resource to the user to be authorized.
3. The authentication and authorization method according to claim 1, wherein the encrypted authorization credential decryption result is an access path;
the step of judging whether the user to be authorized obtains the authentication authorization of the user to be approved based on the encryption authorization credential decryption result comprises the following steps:
verifying whether the access path is identical to the plaintext of the resource access path;
If the access path is different from the plaintext of the resource access path, determining that the user to be authorized does not acquire the authentication authorization of the user to be approved;
And refusing to send the access resource corresponding to the resource access path plaintext to the user to be authorized.
4. The authentication and authorization method according to claim 1, further comprising, before sending the encrypted authorization credential to the user to be authorized in response to the resource access request:
Sending an authorization credential uploading message to the user to be approved;
Receiving the encryption authorization credential, the authority access policy, the public key certificate and the attribute certificate sent by the user to be approved;
Storing the encrypted authorization credential, the rights access policy, the public key certificate, and the attribute certificate to a database;
and associating the encrypted authorization credential, the authority access policy, the public key certificate and the attribute certificate with the user information of the user to be approved in a database.
5. The authentication and authorization method according to claim 1, further comprising, before sending the encrypted authorization credential to the user to be authorized in response to the resource access request:
receiving a user name, a password, a public key certificate and an attribute certificate sent by the user to be authorized;
Judging whether the user to be authorized is a legal user or not based on the user name, the password, the public key certificate and the attribute certificate;
And if the user to be authorized is not a legal user, rejecting the resource access request of the user to be authorized.
6. The authentication and authorization method according to claim 2, wherein the access resource includes information to be approved, and the user to be authorized is an approver corresponding to the information to be approved;
after the access resource is sent to the user to be authorized, the method further comprises:
receiving an approval result of the to-be-approved information sent by the to-be-authorized user;
if the approval result is that the approval passes, updating the approval result to a database;
determining a new user to be authorized;
and sending an approval notification message to the new user to be authorized so that the new user to be authorized generates a new resource access request according to the approval notification message.
7. An authentication and authorization apparatus, comprising:
The sending module is used for responding to the resource access request and sending an encryption authorization credential to the user to be authorized; the encryption authorization credential is generated by encryption operation based on an authority access policy of a user to be approved, a resource access path plaintext and a system public key, and the authority access policy is generated based on an authority attribute of the user to be approved;
The receiving module is used for receiving the encryption authorization credential decryption result sent by the user to be authorized; the encryption authorization credential decryption result is generated by performing decryption operation based on the encryption authorization credential and a user private key of the user to be authorized, wherein the user private key is generated based on a system main private key and authority attributes of the user to be authorized;
and the judging module is used for judging whether the user to be authorized obtains the authentication and authorization of the user to be approved or not based on the encryption and authorization credential decryption result.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the authentication and authorization method according to any one of claims 1 to 6 when the program is executed by the processor.
9. A non-transitory computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the authentication and authorization method according to any one of claims 1 to 6.
10. A computer program product comprising a computer program which, when executed by a processor, implements the authentication and authorization method according to any one of claims 1 to 6.
CN202410286332.4A 2024-03-13 2024-03-13 Authentication and authorization method, device, electronic equipment, storage medium and product Active CN118802159B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410286332.4A CN118802159B (en) 2024-03-13 2024-03-13 Authentication and authorization method, device, electronic equipment, storage medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410286332.4A CN118802159B (en) 2024-03-13 2024-03-13 Authentication and authorization method, device, electronic equipment, storage medium and product

Publications (2)

Publication Number Publication Date
CN118802159A true CN118802159A (en) 2024-10-18
CN118802159B CN118802159B (en) 2026-01-23

Family

ID=93024468

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410286332.4A Active CN118802159B (en) 2024-03-13 2024-03-13 Authentication and authorization method, device, electronic equipment, storage medium and product

Country Status (1)

Country Link
CN (1) CN118802159B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119089415A (en) * 2024-11-08 2024-12-06 天津金城银行股份有限公司 Authorization authentication method, system, intelligent terminal and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991278A (en) * 2016-07-11 2016-10-05 河北省科学院应用数学研究所 Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption)
US20170359184A1 (en) * 2016-06-09 2017-12-14 International Business Machines Corporation Credential-Based Authorization
CN112073479A (en) * 2020-08-26 2020-12-11 重庆邮电大学 Method and system for controlling de-centering data access based on block chain
CN115664656A (en) * 2022-10-25 2023-01-31 北京邮电大学 Ciphertext Policy Attribute-Based Encryption Supporting Traitor Tracing and Tree Access Structure
CN117411660A (en) * 2023-05-09 2024-01-16 深圳Tcl新技术有限公司 Resource authorization method, device, storage medium and electronic equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170359184A1 (en) * 2016-06-09 2017-12-14 International Business Machines Corporation Credential-Based Authorization
CN105991278A (en) * 2016-07-11 2016-10-05 河北省科学院应用数学研究所 Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption)
CN112073479A (en) * 2020-08-26 2020-12-11 重庆邮电大学 Method and system for controlling de-centering data access based on block chain
CN115664656A (en) * 2022-10-25 2023-01-31 北京邮电大学 Ciphertext Policy Attribute-Based Encryption Supporting Traitor Tracing and Tree Access Structure
CN117411660A (en) * 2023-05-09 2024-01-16 深圳Tcl新技术有限公司 Resource authorization method, device, storage medium and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
程思嘉;张昌宏;潘帅卿;: "基于CP-ABE算法的云存储数据访问控制方案设计", 信息网络安全, no. 02, 10 February 2016 (2016-02-10) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119089415A (en) * 2024-11-08 2024-12-06 天津金城银行股份有限公司 Authorization authentication method, system, intelligent terminal and storage medium

Also Published As

Publication number Publication date
CN118802159B (en) 2026-01-23

Similar Documents

Publication Publication Date Title
CN111429254B (en) Business data processing method and device and readable storage medium
US10904256B2 (en) External accessibility for computing devices
US10348706B2 (en) Assuring external accessibility for devices on a network
Ghaffar et al. An improved authentication scheme for remote data access and sharing over cloud storage in cyber-physical-social-systems
US20140270179A1 (en) Method and system for key generation, backup, and migration based on trusted computing
DK2414983T3 (en) Secure computer system
WO2018219056A1 (en) Authentication method, device, system and storage medium
CN101507233A (en) Method and apparatus for providing trusted single sign-on access to applications and internet-based services
WO2011063014A1 (en) Single sign on with multiple authentication factors
CN108881222A (en) Strong identity authentication system and method based on PAM framework
KR20180080183A (en) Systems and methods for biometric protocol standards
CA3172049A1 (en) Exporting remote cryptographic keys
WO2020020008A1 (en) Authentication method and authentication system
CN115442136A (en) Application system access method and device
CN118802159B (en) Authentication and authorization method, device, electronic equipment, storage medium and product
Mukhandi et al. Blockchain Hybrid-Model Scheme for Scalable Cross-Domain Authorisation
Tiwari et al. Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos
CN114024682A (en) Cross-domain single sign-on method, service equipment and authentication equipment
CN111682941B (en) Centralized identity management, distributed authentication and authorization method based on cryptography
Megala et al. A review on blockchain-based device authentication schemes for IoT
EP4369210A2 (en) Assuring external accessibility for devices on a network
Fugkeaw et al. Multi-Application Authentication based on Multi-Agent System.
CN110225011B (en) Authentication method and device for user node and computer readable storage medium
Yasin et al. Enhancing anti-phishing by a robust multi-level authentication technique (EARMAT).
CN114996770B (en) Identity recognition method based on sink management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant