技术领域technical field
本申请涉及信息安全技术领域,特别是涉及一种加密敏感参数的处理方法、装置、计算机设备和存储介质。The present application relates to the technical field of information security, and in particular, to a processing method, apparatus, computer equipment and storage medium for encrypting sensitive parameters.
背景技术Background technique
RPA(Robotic Process Automation,机器人流程自动化)是一种自动化软件技术,它允许通过配置自动化软件(也叫“机器人”)来模拟和人类在软件系统中交互相同的动作,从而来执行业务流程。RPA (Robotic Process Automation) is an automation software technology that allows the implementation of business processes by configuring automation software (also called "robots") to simulate the same actions that humans interact with in a software system.
在自动化软件执行在执行业务流程时,常常需要在客户端上使用敏感参数在业务系统中进行一系列自动化操作。然而,由于客户端常常会受到不法分子的网络攻击和非法访问,这也造成客户端储存的敏感参数遭到泄露而被不法分子窃取。When the automation software executes the business process, it is often necessary to use sensitive parameters on the client to perform a series of automated operations in the business system. However, since the client is often attacked and accessed illegally by criminals, the sensitive parameters stored on the client are leaked and stolen by criminals.
因此,现有的自动化软件往往存在容易泄露敏感参数的问题。Therefore, existing automation software often has the problem of easily leaking sensitive parameters.
发明内容SUMMARY OF THE INVENTION
基于此,有必要针对上述技术问题,提供一种能够避免敏感参数泄露的加密敏感参数的处理方法、装置、计算机设备和存储介质。Based on this, it is necessary to provide a processing method, apparatus, computer device and storage medium for encrypting sensitive parameters that can avoid the leakage of sensitive parameters, aiming at the above technical problems.
一种加密敏感参数的处理方法,所述方法包括:A method for processing encrypted sensitive parameters, the method comprising:
接收参数服务平台的加密敏感参数,将所述加密敏感参数写入客户端的本地内存中;Receive encrypted sensitive parameters of the parameter service platform, and write the encrypted sensitive parameters into the local memory of the client;
解密所述加密敏感参数,得到解密敏感参数;Decrypt the encryption sensitive parameter to obtain the decryption sensitive parameter;
根据所述解密敏感参数进行业务操作;perform business operations according to the decryption sensitive parameters;
当业务操作执行完毕时,从所述客户端的本地内存中销毁所述解密敏感参数和所述加密敏感参数。When the execution of the business operation is completed, the decryption sensitive parameter and the encryption sensitive parameter are destroyed from the local memory of the client.
在其中一个实施例中,所述解密敏感参数包括登录账号、登录密码和业务系统的网页访问地址中的至少一种;In one embodiment, the decryption sensitive parameter includes at least one of a login account, a login password, and a webpage access address of the business system;
所述根据所述解密敏感参数进行业务操作,包括:The performing business operation according to the decryption sensitive parameter includes:
根据所述网页访问地址,访问所述业务系统;Access the business system according to the webpage access address;
执行机器人模拟登录操作;所述机器人模拟登录操作用于使用所述登录账号和所述登录密码,登录所述业务系统。A robot simulated login operation is performed; the robot simulated login operation is used to log in to the business system by using the login account and the login password.
在其中一个实施例中,所述解密所述加密敏感参数,得到解密敏感参数,包括:In one embodiment, the decrypting the encryption-sensitive parameter to obtain the decryption-sensitive parameter includes:
获取口令密钥获取请求,并发送所述口令密钥获取请求至所述参数服务平台;Obtain a password key acquisition request, and send the password key acquisition request to the parameter service platform;
接收针对所述口令密钥获取请求的会话加密密钥;receiving a session encryption key for the password key acquisition request;
使用所述会话加密密钥对所述加密敏感参数进行解密,生成所述解密敏感参数。The encrypted sensitive parameter is decrypted using the session encryption key to generate the decrypted sensitive parameter.
在其中一个实施例中,所述获取口令密钥获取请求,包括:In one of the embodiments, the obtaining the password key obtaining request includes:
发送口令获取请求至所述参数服务平台;sending a password acquisition request to the parameter service platform;
接收针对所述口令获取请求的用户口令;receiving a user password for the password acquisition request;
根据所述用户口令,生成所述口令密钥获取请求。According to the user password, the password key acquisition request is generated.
在其中一个实施例中,所述接收参数服务平台的加密敏感参数,包括:In one embodiment, the encrypted sensitive parameters of the receiving parameter service platform include:
发送参数获取请求至所述参数服务平台;所述参数获取请求用于供所述参数服务平台确定所述客户端的用户身份特征;所述用户身份特征用于供所述参数服务平台确定针对所述客户端的加密敏感参数;Send a parameter acquisition request to the parameter service platform; the parameter acquisition request is used for the parameter service platform to determine the user identity feature of the client; the user identity feature is used for the parameter service platform to determine the Encryption sensitive parameters of the client;
接收针对所述参数获取请求的所述加密敏感参数。The encrypted sensitive parameter for the parameter acquisition request is received.
一种加密敏感参数的发送方法,所述方法包括:A method for sending encrypted sensitive parameters, the method comprising:
接收客户端的参数获取请求;Receive the client's parameter acquisition request;
生成针对所述参数获取请求的加密敏感参数;generating encrypted sensitive parameters for the parameter acquisition request;
发送所述加密敏感参数;所述加密敏感参数用于供所述客户端接收,并将所述加密敏感参数写入所述客户端的本地内存中;所述加密敏感参数还用于供所述客户端解密,得到解密敏感参数;所述解密敏感参数用于供所述客户端进行业务操作;当业务操作执行完毕时,所述客户端从所述本地内存中销毁所述解密敏感参数和所述加密敏感参数。Send the encrypted sensitive parameter; the encrypted sensitive parameter is used for the client to receive, and the encrypted sensitive parameter is written into the local memory of the client; the encrypted sensitive parameter is also used for the client The decryption sensitive parameter is used for the client to perform business operations; when the business operation is completed, the client destroys the decryption sensitive parameter and the decryption sensitive parameter from the local memory. Encrypt sensitive parameters.
在其中一个实施例中,所述生成针对所述参数获取请求的加密敏感参数,包括:In one embodiment, the generating the encrypted sensitive parameter for the parameter obtaining request includes:
根据所述参数获取请求,确定所述客户端的用户身份特征;所述用户身份特征包括用户职位等级、用户涉密等级和用户入职时长中的至少一种;According to the parameter acquisition request, determine the user identity feature of the client; the user identity feature includes at least one of the user's position level, the user's secret level, and the user's entry time;
根据所述用户身份特征,判断所述客户端是否具有参数使用权限;According to the user identity feature, determine whether the client has the parameter use authority;
若是,则查询针对所述参数获取请求的初始敏感参数;If so, query the initial sensitive parameters of the parameter acquisition request;
获取会话加密密钥,并使用所述会话加密密钥对所述初始敏感参数进行加密,生成所述加密敏感参数。Obtain a session encryption key, and use the session encryption key to encrypt the initial sensitive parameter to generate the encrypted sensitive parameter.
在其中一个实施例中,所述获取会话加密密钥,包括:In one embodiment, the obtaining the session encryption key includes:
接收所述客户端的口令密钥获取请求;receiving a password key acquisition request from the client;
根据所述口令密钥获取请求,确定用户口令;Determine the user password according to the password key acquisition request;
根据所述用户口令,在预设的密钥映射表中查询是否存在所述会话加密密钥;According to the user password, query whether the session encryption key exists in a preset key mapping table;
若否,生成所述会话加密密钥,并写入所述会话加密密钥至所述密钥映射表;If not, generate the session encryption key, and write the session encryption key to the key mapping table;
发送所述会话加密密钥至所述客户端。Send the session encryption key to the client.
在其中一个实施例中,所述查询针对所述参数获取请求的初始敏感参数,包括:In one embodiment, the query obtains the initial sensitive parameters of the request for the parameters, including:
根据所述参数获取请求,查询初始加密参数;According to the parameter acquisition request, query the initial encryption parameters;
获取平台密钥,并使用所述平台密钥对所述初始加密参数进行解密,得到所述初始敏感参数。Obtain the platform key, and use the platform key to decrypt the initial encryption parameter to obtain the initial sensitive parameter.
一种加密敏感参数的处理系统,所述系统包括:客户端和参数服务平台;A processing system for encrypting sensitive parameters, the system includes: a client and a parameter service platform;
所述客户端,用于发送参数获取请求至所述参数服务平台;还用于接收参数服务平台的加密敏感参数,将所述加密敏感参数写入客户端的本地内存中;解密所述加密敏感参数,得到解密敏感参数;根据所述解密敏感参数进行业务操作;当业务操作执行完毕时,从所述客户端的本地内存中销毁所述解密敏感参数和所述加密敏感参数;The client is used to send a parameter acquisition request to the parameter service platform; it is also used to receive encrypted sensitive parameters of the parameter service platform, and write the encrypted sensitive parameters into the local memory of the client; decrypt the encrypted sensitive parameters , obtain decryption sensitive parameters; perform business operations according to the decryption sensitive parameters; when the business operation is completed, destroy the decryption sensitive parameters and the encryption sensitive parameters from the local memory of the client;
所述参数服务平台,用于接收所述客户端的参数获取请求;生成针对所述参数获取请求的加密敏感参数;发送所述加密敏感参数。The parameter service platform is configured to receive a parameter acquisition request from the client; generate encrypted sensitive parameters for the parameter acquisition request; and send the encrypted sensitive parameters.
一种加密敏感参数的处理装置,所述装置包括:A processing device for encrypting sensitive parameters, the device includes:
写入模块,用于接收参数服务平台的加密敏感参数,将所述加密敏感参数写入客户端的本地内存中;The writing module is used to receive the encrypted sensitive parameters of the parameter service platform, and write the encrypted sensitive parameters into the local memory of the client;
解密模块,用于解密所述加密敏感参数,得到解密敏感参数;a decryption module for decrypting the encrypted sensitive parameters to obtain the decrypted sensitive parameters;
操作模块,用于根据所述解密敏感参数进行业务操作;an operation module, configured to perform business operations according to the decryption sensitive parameters;
销毁模块,用于当业务操作执行完毕时,从所述客户端的本地内存中销毁所述解密敏感参数和所述加密敏感参数。The destruction module is used for destroying the decryption sensitive parameter and the encryption sensitive parameter from the local memory of the client when the execution of the business operation is completed.
一种加密敏感参数的发送装置,所述装置包括:A device for sending encrypted sensitive parameters, the device comprising:
接收模块,用于接收客户端的参数获取请求;The receiving module is used to receive the parameter acquisition request of the client;
生成模块,用于生成针对所述参数获取请求的加密敏感参数;a generating module for generating encrypted sensitive parameters for the parameter acquisition request;
发送模块,用于发送所述加密敏感参数;所述加密敏感参数用于供所述客户端接收,并将所述加密敏感参数写入所述客户端的本地内存中;所述加密敏感参数还用于供所述客户端解密,得到解密敏感参数;所述解密敏感参数用于供所述客户端进行业务操作;当业务操作执行完毕时,所述客户端从所述本地内存中销毁所述解密敏感参数和所述加密敏感参数。a sending module, configured to send the encrypted sensitive parameter; the encrypted sensitive parameter is used for the client to receive, and the encrypted sensitive parameter is written into the local memory of the client; the encrypted sensitive parameter is also used It is used for decryption by the client to obtain decryption sensitive parameters; the decryption sensitive parameters are used for the client to perform business operations; when the business operation is completed, the client destroys the decryption from the local memory Sensitive parameters and the encrypted sensitive parameters.
一种计算机设备,包括存储器和处理器,所述存储器存储有计算机程序,所述处理器执行所述计算机程序时实现以下步骤:A computer device includes a memory and a processor, the memory stores a computer program, and the processor implements the following steps when executing the computer program:
接收参数服务平台的加密敏感参数,将所述加密敏感参数写入客户端的本地内存中;Receive encrypted sensitive parameters of the parameter service platform, and write the encrypted sensitive parameters into the local memory of the client;
解密所述加密敏感参数,得到解密敏感参数;Decrypt the encryption sensitive parameter to obtain the decryption sensitive parameter;
根据所述解密敏感参数进行业务操作;perform business operations according to the decryption sensitive parameters;
当业务操作执行完毕时,从所述客户端的本地内存中销毁所述解密敏感参数和所述加密敏感参数。When the execution of the business operation is completed, the decryption sensitive parameter and the encryption sensitive parameter are destroyed from the local memory of the client.
一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现以下步骤:A computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
接收客户端的参数获取请求;Receive the client's parameter acquisition request;
生成针对所述参数获取请求的加密敏感参数;generating encrypted sensitive parameters for the parameter acquisition request;
发送所述加密敏感参数;所述加密敏感参数用于供所述客户端接收,并将所述加密敏感参数写入所述客户端的本地内存中;所述加密敏感参数还用于供所述客户端解密,得到解密敏感参数;所述解密敏感参数用于供所述客户端进行业务操作;当业务操作执行完毕时,所述客户端从所述本地内存中销毁所述解密敏感参数和所述加密敏感参数。Send the encrypted sensitive parameter; the encrypted sensitive parameter is used for the client to receive, and the encrypted sensitive parameter is written into the local memory of the client; the encrypted sensitive parameter is also used for the client The decryption sensitive parameter is used for the client to perform business operations; when the business operation is completed, the client destroys the decryption sensitive parameter and the decryption sensitive parameter from the local memory. Encrypt sensitive parameters.
上述一种加密敏感参数的处理方法、装置、计算机设备和存储介质,客户端通过接收参数服务平台的加密敏感参数,并将加密敏感参数写入客户端的本地内存中;然后,通过解密加密敏感参数,得到解密敏感参数;最后,根据解密敏感参数进行业务操作;当业务操作执行完毕时,从客户端的本地内存中销毁解密敏感参数和加密敏感参数,避免敏感参数长时间保存在客户端本地而容易遭到泄露,通过使用参数管理平台实现对敏感参数的统一管控,进一步提高了敏感参数泄露的难度。In the above-mentioned processing method, device, computer equipment and storage medium for encrypting sensitive parameters, the client receives the encrypted sensitive parameters of the parameter service platform, and writes the encrypted sensitive parameters into the local memory of the client; then, encrypts the sensitive parameters by decrypting , to obtain the decryption sensitive parameters; finally, perform business operations according to the decryption sensitive parameters; when the business operation is completed, the decryption sensitive parameters and encryption sensitive parameters are destroyed from the local memory of the client, so as to avoid the sensitive parameters being stored locally on the client for a long time. If it is leaked, the unified management and control of sensitive parameters is realized by using the parameter management platform, which further increases the difficulty of sensitive parameter leakage.
附图说明Description of drawings
图1为一个实施例中一种加密敏感参数的处理方法的应用环境图;1 is an application environment diagram of a processing method for encrypting sensitive parameters in one embodiment;
图2为一个实施例中一种加密敏感参数的处理方法的流程示意图;2 is a schematic flowchart of a processing method for encrypting sensitive parameters in one embodiment;
图3为另一个实施例中一种加密敏感参数的发送方法的流程示意图;3 is a schematic flowchart of a method for sending encrypted sensitive parameters in another embodiment;
图4为一个实施例中一种加密敏感参数的处理装置的结构框图;4 is a structural block diagram of a processing apparatus for encrypting sensitive parameters in one embodiment;
图5为另一个实施例中一种加密敏感参数的发送装置的结构框图;5 is a structural block diagram of an apparatus for sending encrypted sensitive parameters in another embodiment;
图6为另一个实施例中一种加密敏感参数的处理系统的时序图;6 is a sequence diagram of a processing system for encrypting sensitive parameters in another embodiment;
图7为一个实施例中计算机设备的内部结构图。FIG. 7 is a diagram of the internal structure of a computer device in one embodiment.
具体实施方式Detailed ways
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solutions and advantages of the present application more clearly understood, the present application will be described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application, but not to limit the present application.
本申请提供的一种加密敏感参数的处理方法,可以应用于如图1所示的应用环境中。其中,客户端110通过网络与参数服务平台120通过网络进行通信。。其中,客户端110可以但不限于是各种个人计算机、笔记本电脑、智能手机、平板电脑和便携式可穿戴设备,参数服务平台120可以用独立的服务器或者是多个服务器组成的服务器集群来实现。The processing method for encrypting sensitive parameters provided by the present application can be applied to the application environment shown in FIG. 1 . The client 110 communicates with the parameter service platform 120 through the network through the network. . The client 110 can be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers and portable wearable devices, and the parameter service platform 120 can be implemented by an independent server or a server cluster composed of multiple servers.
在一个实施例中,如图2所示,提供了一种加密敏感参数的处理方法,包括以下步骤:In one embodiment, as shown in Figure 2, a processing method for encrypting sensitive parameters is provided, comprising the following steps:
步骤210,接收参数服务平台的加密敏感参数,将加密敏感参数写入客户端的本地内存中。Step 210: Receive the encrypted sensitive parameters of the parameter service platform, and write the encrypted sensitive parameters into the local memory of the client.
其中,敏感参数可以是指涉及到涉及个人隐私或商业秘密的参数。The sensitive parameters may refer to parameters that involve personal privacy or business secrets.
其中,加密敏感数据可以是指经过特定密钥加密的敏感参数。The encrypted sensitive data may refer to sensitive parameters encrypted with a specific key.
具体实现中,客户端110可以通过使用敏感参数在业务系统中进行一系列自动化操作。当客户端110需要使用敏感参数时,此时客户端110发送参数获取请求至参数服务平台120。当参数服务平台120接收到该参数获取请求后,参数服务平台120从参数数据库中查找出与该参数获取请求对应的敏感参数,并对敏感参数进行加密生成加密敏感参数,并将该加密敏感参数发送至客户端110。然后,客户端110接收参数服务平台的加密敏感参数,并将该加密敏感参数写入客户端110的本地内存中,供客户端110进行进一步使用。In a specific implementation, the client 110 can perform a series of automated operations in the business system by using sensitive parameters. When the client 110 needs to use sensitive parameters, the client 110 sends a parameter acquisition request to the parameter service platform 120 at this time. After the parameter service platform 120 receives the parameter acquisition request, the parameter service platform 120 searches the parameter database for the sensitive parameter corresponding to the parameter acquisition request, encrypts the sensitive parameter to generate an encrypted sensitive parameter, and stores the encrypted sensitive parameter Sent to client 110 . Then, the client 110 receives the encrypted sensitive parameter of the parameter service platform, and writes the encrypted sensitive parameter into the local memory of the client 110 for further use by the client 110 .
步骤220,解密加密敏感参数,得到解密敏感参数。Step 220: Decrypt the encrypted sensitive parameter to obtain the decrypted sensitive parameter.
其中,解密敏感参数可以是指经过解码的敏感参数。The decryption sensitive parameter may refer to the decoded sensitive parameter.
具体实现中,当客户端110接收到加密敏感参数后,客户端110根据该加密敏感参数,获取该加密敏感参数对应的解密密钥,并使用该解密密钥对加密敏感参数进行解密,得到解密敏感参数。In a specific implementation, after the client 110 receives the encrypted sensitive parameter, the client 110 obtains the decryption key corresponding to the encrypted sensitive parameter according to the encrypted sensitive parameter, and uses the decrypted key to decrypt the encrypted sensitive parameter to obtain the decryption key. sensitive parameters.
步骤230,根据解密敏感参数进行业务操作。Step 230, performing a service operation according to the decryption-sensitive parameter.
其中,业务操作可以是指需要使用敏感参数而进行业务处理的操作。The business operation may refer to an operation that needs to use sensitive parameters for business processing.
具体实现中,当客户端110对加密敏感参数进行解密并得到解密敏感参数后,客户端110根据该解密敏感参数,进行业务操作,例如,自动登录财务系统、自动审核财务信息等一系列业务操作。In specific implementation, after the client 110 decrypts the encrypted sensitive parameters and obtains the decrypted sensitive parameters, the client 110 performs business operations according to the decrypted sensitive parameters, for example, a series of business operations such as automatically logging into the financial system and automatically auditing financial information. .
步骤240,当业务操作执行完毕时,从客户端的本地内存中销毁解密敏感参数和加密敏感参数。Step 240, when the execution of the business operation is completed, the decryption sensitive parameters and the encryption sensitive parameters are destroyed from the local memory of the client.
具体实现中,实时监测业务操作是否执行完毕,当业务操作执行完毕时,客户端110从本地内存中销毁解密敏感参数和加密敏感参数,避免遭到泄露。例如,客户端110通过以监控系统运行进程的方式,实时地监控当前的业务操作是否执行完毕,当业务操作执行完毕时,客户端110销毁储存在本地内存中的解密敏感参数和加密敏感参数。In the specific implementation, whether the execution of the business operation is completed is monitored in real time. When the execution of the business operation is completed, the client 110 destroys the decryption sensitive parameters and the encryption sensitive parameters from the local memory to avoid leakage. For example, the client 110 monitors whether the current business operation is completed in real time by monitoring the running process of the system. When the business operation is completed, the client 110 destroys the decryption sensitive parameters and encryption sensitive parameters stored in the local memory.
上述一种加密敏感参数的处理方法,客户端通过接收参数服务平台的加密敏感参数,并将加密敏感参数写入客户端的本地内存中;然后,通过解密加密敏感参数,得到解密敏感参数;最后,根据解密敏感参数进行业务操作;当业务操作执行完毕时,从客户端的本地内存中销毁解密敏感参数和加密敏感参数,避免敏感参数长时间保存在客户端本地而容易遭到泄露,通过使用参数管理平台实现对敏感参数的同一管控,进一步提高了敏感参数泄露的难度。In the above method for processing encrypted sensitive parameters, the client receives the encrypted sensitive parameters of the parameter service platform, and writes the encrypted sensitive parameters into the local memory of the client; then, decrypts the encrypted sensitive parameters to obtain the decrypted sensitive parameters; finally, Perform business operations according to the decryption sensitive parameters; when the business operation is completed, the decryption sensitive parameters and encryption sensitive parameters are destroyed from the local memory of the client, so as to avoid the sensitive parameters being stored locally on the client for a long time and easily leaked. By using parameter management The platform realizes the same management and control of sensitive parameters, which further increases the difficulty of sensitive parameter leakage.
在另一个实施例中,解密敏感参数包括登录账号、登录密码和业务系统的网页访问地址中的至少一种;根据解密敏感参数进行业务操作,包括:根据网页访问地址,访问业务系统;执行机器人模拟登录操作;机器人模拟登录操作用于使用登录账号和登录密码,登录业务系统。In another embodiment, the decrypted sensitive parameters include at least one of a login account, a login password and a webpage access address of the business system; performing business operations according to the decrypted sensitive parameters includes: accessing the business system according to the webpage access address; executing a robot Simulated login operation; the robot simulated login operation is used to log in to the business system using the login account and login password.
其中,业务系统可以是指用于处理财务业务的系统。The business system may refer to a system for processing financial business.
具体实现中,解密敏感参数可以包括登录账号、登录密码和业务系统的网页访问地址中的至少一种;当客户端110根据该解密敏感参数进行业务操作时,首先客户端110通过业务系统的网页访问地址,并通过调用互联网浏览器的方式,访问该业务系统。然后,客户端110执行机器人模拟登录操作。其中,机器人模拟登录操作可以一种基于SeleniumWebdriver(一种浏览器自动化测试框架)编写的自动化登录脚本,当客户端110执行机器人模拟登录操作时,启动该自动化登录脚本,此时自动化登录脚本会自动将登录账号和登录密码填入对应的录入框中,从而让业务系统的进行用户验证并登录该业务系统,进而完成业务操作。In a specific implementation, the decryption sensitive parameter may include at least one of a login account, a login password, and a web page access address of the business system; when the client 110 performs a business operation according to the decryption sensitive parameter, first the client 110 accesses the web page of the business system Access the address, and access the business system by invoking the Internet browser. Then, the client 110 performs a robot simulated login operation. The robot simulated login operation may be an automated login script written based on Selenium Webdriver (a browser automated testing framework). When the client 110 performs the robot simulated login operation, the automated login script is started, and the automated login script will automatically Fill in the login account and login password into the corresponding input box, so that the business system can perform user authentication and log in to the business system, and then complete the business operation.
本实施例的技术方案,客户端在根据解密敏感参数进行业务操作时,通过根据网页访问地址,访问业务系统;并执行机器人模拟登录操作,在提供敏感参数的安全程度的同时,实现了业务系统自动登录的业务操作。In the technical solution of this embodiment, when the client performs business operations according to the decrypted sensitive parameters, it accesses the business system according to the webpage access address; and executes the robot simulated login operation, while providing the security level of the sensitive parameters, the business system is realized. Business operations that automatically log in.
在另一个实施例中,解密加密敏感参数,得到解密敏感参数,包括:获取口令密钥获取请求,并发送口令密钥获取请求至参数服务平台;接收针对口令密钥获取请求的会话加密密钥;使用会话加密密钥对加密敏感参数进行解密,生成解密敏感参数。In another embodiment, decrypting the encrypted sensitive parameters to obtain the decrypted sensitive parameters includes: acquiring a password key acquisition request, and sending the password key acquisition request to the parameter service platform; receiving a session encryption key for the password key acquisition request ; Use the session encryption key to decrypt encrypted sensitive parameters to generate decrypted sensitive parameters.
其中,口令密钥获取请求可以是指获取具有口令信息的密钥的请求。The password key acquisition request may refer to a request for acquiring a key with password information.
其中,会话加密密钥可以是指在当前客户端与参数服务平台所处的会话期内生效的加密密钥。The session encryption key may refer to an encryption key that takes effect within the session period between the current client and the parameter service platform.
在实际应用中,参数服务平台使用会话加密密钥对敏感参数进行加密,生成加密敏感参数。In practical applications, the parameter service platform uses the session encryption key to encrypt sensitive parameters to generate encrypted sensitive parameters.
具体实现中,当客户端110在对加密敏感参数进行解密的过程中,客户端110根据当前的用户口令,获取口令密钥获取请求;然后,客户端110发送该口令密钥获取请求至参数服务平台120。在参数服务平台120接收到口令密钥获取请求之后,参数服务平台120根据口令密钥获取请求查询到与加密敏感参数对应的会话加密密钥,该会话加密密钥仅仅在当前客户端与参数服务平台所处的会话期内生效;然后,发送该会话加密密钥至客户端110。客户端110在接收到会话加密密钥之后,使用该会话加密密钥对加密敏感参数进行解密,生成解密敏感参数。In a specific implementation, when the client 110 decrypts the encrypted sensitive parameters, the client 110 obtains a password key obtaining request according to the current user password; then, the client 110 sends the password key obtaining request to the parameter service Platform 120. After the parameter service platform 120 receives the password key acquisition request, the parameter service platform 120 queries the session encryption key corresponding to the encrypted sensitive parameter according to the password key acquisition request, and the session encryption key is only used in the current client and the parameter service The session period in which the platform is located takes effect; then, the session encryption key is sent to the client 110 . After receiving the session encryption key, the client 110 uses the session encryption key to decrypt the encrypted sensitive parameter to generate the decrypted sensitive parameter.
本实施例的技术方案,通过使用在当前客户端与参数服务平台所处的会话期内生效的会话加密密钥对敏感参数进行加密和解密,保障了客户端与参数服务平台之间通讯会话的安全性,从而可以避免敏感参数遭到不法分子的劫持破解而遭到泄露。In the technical solution of this embodiment, the sensitive parameters are encrypted and decrypted by using the session encryption key that takes effect during the session between the current client and the parameter service platform, thereby ensuring the communication session between the client and the parameter service platform. Security, so that sensitive parameters can be prevented from being hijacked and cracked by criminals and leaked.
在另一个实施例中,获取口令密钥获取请求,包括:发送口令获取请求至参数服务平台;接收针对口令获取请求的用户口令;根据用户口令,生成口令密钥获取请求。In another embodiment, acquiring a password key acquisition request includes: sending a password acquisition request to a parameter service platform; receiving a user password for the password acquisition request; and generating a password key acquisition request according to the user password.
其中,用户口令可以是指针对客户端用户的临时验证令牌。The user password may be a temporary verification token for the client user.
具体实现中,当用户成功登录客户端110时,客户端110会发送口令获取请求至参数服务平台120;在参数服务平台120接收到该口令获取请求后,参数服务平台120会生成用户口令,其中,用户口令可以由用户唯一的身份标识、当前时间的时间戳和签名组成。然后,参数服务平台120发送该用户口令至客户端110。客户端110接收针对口令获取请求的用户口令。客户端110还可以根据用户口令,生成口令密钥获取请求。In specific implementation, when the user successfully logs in to the client 110, the client 110 will send a password acquisition request to the parameter service platform 120; after the parameter service platform 120 receives the password acquisition request, the parameter service platform 120 will generate a user password, wherein , the user password can be composed of the user's unique identity, the timestamp of the current time and the signature. Then, the parameter service platform 120 sends the user password to the client 110 . Client 110 receives a user password for a password acquisition request. The client 110 may also generate a password key acquisition request according to the user password.
本实施例的技术方案,客户端通过发送口令获取请求至参数服务平台;并接收针对口令获取请求的用户口令;然后,根据用户口令,生成口令密钥获取请求;使参数服务平台可以根据口令密钥获取请求,确定当前客户端对应的用户口令,并根据用户口令查询对应的会话加密密钥,提高了参数管理平台管控敏感参数的安全程度。In the technical solution of this embodiment, the client sends a password acquisition request to the parameter service platform; and receives the user password for the password acquisition request; then, according to the user password, generates a password key acquisition request; Key acquisition request, determine the user password corresponding to the current client, and query the corresponding session encryption key according to the user password, which improves the security of the parameter management platform to manage and control sensitive parameters.
在另一个实施例中,接收参数服务平台的加密敏感参数,包括:发送参数获取请求至参数服务平台;参数获取请求用于供参数服务平台确定客户端的用户身份特征;用户身份特征用于供参数服务平台确定针对客户端的加密敏感参数;接收针对参数获取请求的加密敏感参数。In another embodiment, receiving the encrypted sensitive parameters of the parameter service platform includes: sending a parameter acquisition request to the parameter service platform; the parameter acquisition request is used for the parameter service platform to determine the user identity feature of the client; the user identity feature is used for the parameter The service platform determines the encrypted sensitive parameters for the client; receives the encrypted sensitive parameters for the parameter acquisition request.
具体实现中,当客户端110发送参数获取请求至参数服务平台120后,参数服务平台120根据参数获取请求确定使用当前客户端110用户的用户身份特征,例如,用户姓名、用户职位等级、用户涉密等级和用户入职时长。然后,参数服务平台120根据该用户身份特征,确定针对使用当前客户端110用户的加密敏感参数,并将加密敏感参数发送至客户端110,供客户端110接收。In a specific implementation, after the client 110 sends a parameter acquisition request to the parameter service platform 120, the parameter service platform 120 determines the user identity characteristics of the current client 110 user according to the parameter acquisition request, for example, user name, user position level, user involvement Security level and user onboarding time. Then, the parameter service platform 120 determines encryption sensitive parameters for the user using the current client 110 according to the user identity characteristics, and sends the encryption sensitive parameters to the client 110 for the client 110 to receive.
例如,当使用客户端110用户的用户涉密等级较低时,此时相对当前用户来说,参数管理平台120将要发送至客户端110的所有参数均为敏感参数,因此参数管理平台120对所有参数进行加密,得到加密敏感参数。当使用客户端110用户的用户涉密等级较高时,此时相对当前用户来说,参数管理平台120将要发送至客户端110的参数中只有部分参数属于敏感参数,因此参数管理平台120只对部分参数进行加密,得到加密敏感参数。For example, when the user who uses the client 110 has a low level of confidentiality, all the parameters that the parameter management platform 120 will send to the client 110 are sensitive parameters compared to the current user. The parameters are encrypted to obtain encrypted sensitive parameters. When the user who uses the client 110 has a higher level of confidentiality, compared to the current user, only some of the parameters that the parameter management platform 120 will send to the client 110 are sensitive parameters, so the parameter management platform 120 only Part of the parameters are encrypted to obtain encrypted sensitive parameters.
本实施例的技术方案,通过根据发送参数获取请求确定用户身份特征,并根据用户身份特征选择性地对敏感参数进行加密,提高了客户端获取加密敏感参数的效率。In the technical solution of this embodiment, the user identity feature is determined according to the sent parameter acquisition request, and the sensitive parameter is selectively encrypted according to the user identity feature, thereby improving the efficiency of the client to obtain encrypted sensitive parameters.
在一个实施例中,如图3所示,提供了一种加密敏感参数的发送方法,其特征在于,包括以下步骤:In one embodiment, as shown in Figure 3, a method for sending encrypted sensitive parameters is provided, which is characterized in that it includes the following steps:
步骤310,接收客户端的参数获取请求。Step 310: Receive a parameter acquisition request from the client.
其中,参数获取请求可以是指用于获取敏感参数的请求。The parameter acquisition request may refer to a request for acquiring sensitive parameters.
具体实现中,客户端110可以通过使用敏感参数在业务系统中进行一系列自动化操作。当客户端110需要使用敏感参数时,此时客户端110发送参数获取请求至参数服务平台120。参数服务平台120接收客户端110发送的参数获取请求。In a specific implementation, the client 110 can perform a series of automated operations in the business system by using sensitive parameters. When the client 110 needs to use sensitive parameters, the client 110 sends a parameter acquisition request to the parameter service platform 120 at this time. The parameter service platform 120 receives the parameter acquisition request sent by the client 110 .
步骤320,生成针对参数获取请求的加密敏感参数。Step 320: Generate encrypted sensitive parameters for the parameter acquisition request.
具体实现中,当参数服务平台120接收到该参数获取请求后,参数服务平台120从参数数据库中查找出与该参数获取请求对应的敏感参数,并对敏感参数进行加密生成加密敏感参数。In specific implementation, after the parameter service platform 120 receives the parameter acquisition request, the parameter service platform 120 searches the parameter database for the sensitive parameter corresponding to the parameter acquisition request, and encrypts the sensitive parameter to generate the encrypted sensitive parameter.
步骤330,发送加密敏感参数;加密敏感参数用于供客户端接收,并将加密敏感参数写入客户端的本地内存中;加密敏感参数还用于供客户端解密,得到解密敏感参数;解密敏感参数用于供客户端进行业务操作;当业务操作执行完毕时,客户端从本地内存中销毁解密敏感参数和加密敏感参数。Step 330: Send the encrypted sensitive parameters; the encrypted sensitive parameters are used for the client to receive, and the encrypted sensitive parameters are written into the local memory of the client; the encrypted sensitive parameters are also used for decryption by the client to obtain the decrypted sensitive parameters; the decrypted sensitive parameters It is used for the client to perform business operations; when the business operation is completed, the client destroys the decryption sensitive parameters and encryption sensitive parameters from the local memory.
具体实现中,当参数服务平台120生成加密敏感参数后,发送加密敏感参数至客户端110。客户端110接收参数服务平台的加密敏感参数,并将该加密敏感参数写入客户端110的本地内存中。然后,客户端110根据该加密敏感参数,获取该加密敏感参数对应的解密密钥,并使用该解密密钥对加密敏感参数进行解密,得到解密敏感参数。In a specific implementation, after the parameter service platform 120 generates the encrypted sensitive parameter, it sends the encrypted sensitive parameter to the client 110 . The client 110 receives the encrypted sensitive parameter of the parameter service platform, and writes the encrypted sensitive parameter into the local memory of the client 110 . Then, the client 110 obtains the decryption key corresponding to the encryption sensitive parameter according to the encryption sensitive parameter, and uses the decryption key to decrypt the encryption sensitive parameter to obtain the decryption sensitive parameter.
然后,客户端110根据该解密敏感参数,进行业务操作,例如,执行自动登录财务系统、执行自动审核财务信息等一系列业务操作。当业务操作执行完毕时,客户端110销毁储存在本地内存中的解密敏感参数和加密敏感参数。Then, the client 110 performs business operations according to the decrypted sensitive parameters, for example, performs a series of business operations such as automatically logging in to the financial system and performing automatic auditing of financial information. When the business operation is completed, the client 110 destroys the decryption-sensitive parameters and encryption-sensitive parameters stored in the local memory.
上述一种加密敏感参数的发送方法,客户端通过接收参数服务平台的加密敏感参数,并将加密敏感参数写入客户端的本地内存中;然后,通过解密加密敏感参数,得到解密敏感参数;最后,根据解密敏感参数进行业务操作;当业务操作执行完毕时,从客户端的本地内存中销毁解密敏感参数和加密敏感参数,避免敏感参数长时间保存在客户端本地而容易遭到泄露,通过使用参数管理平台实现对敏感参数的同一管控,进一步提高了敏感参数泄露的难度。In the above method for sending encrypted sensitive parameters, the client receives the encrypted sensitive parameters of the parameter service platform, and writes the encrypted sensitive parameters into the local memory of the client; then, the decrypted sensitive parameters are obtained by decrypting the encrypted sensitive parameters; finally, Perform business operations according to the decryption sensitive parameters; when the business operation is completed, the decryption sensitive parameters and encryption sensitive parameters are destroyed from the local memory of the client, so as to avoid the sensitive parameters being stored locally on the client for a long time and easily leaked. By using parameter management The platform realizes the same management and control of sensitive parameters, which further increases the difficulty of sensitive parameter leakage.
在另一个实施例中,生成针对参数获取请求的加密敏感参数,包括:根据参数获取请求,确定客户端的用户身份特征;用户身份特征包括用户职位等级、用户涉密等级和用户入职时长中的至少一种;根据用户身份特征,判断客户端是否具有参数使用权限;若是,则查询针对参数获取请求的初始敏感参数;获取会话加密密钥,并使用会话加密密钥对初始敏感参数进行加密,生成加密敏感参数。In another embodiment, generating an encrypted sensitive parameter for the parameter acquisition request includes: determining the user identity feature of the client according to the parameter acquisition request; the user identity feature includes at least one of the user's position level, the user's confidentiality level, and the user's entry time. One: according to the user identity feature, determine whether the client has the right to use the parameter; if so, query the initial sensitive parameter for the parameter acquisition request; obtain the session encryption key, and use the session encryption key to encrypt the initial sensitive parameter, and generate Encrypt sensitive parameters.
其中,初始敏感参数可以是指未经过密钥加密的敏感参数。The initial sensitive parameter may refer to a sensitive parameter that has not been encrypted by a key.
具体实现中,参数服务平台120在生成针对参数获取请求的加密敏感参数的过程中,参数服务平台120根据参数获取请求确定使用当前客户端110用户的用户身份特征,用户身份特征包括用户职位等级、用户涉密等级和用户入职时长中的至少一种;然后,参数服务平台120根据用户身份特征,判断客户端是否具有参数使用权限;当客户端110具有参数使用权限时,参数服务平台120针对参数获取请求并根据用户身份特征在服务器数据库中查询初始敏感参数;并获取会话加密密钥,其中,会话加密密钥仅仅在当前客户端与参数服务平台所处的会话期内生效。然后,参数服务平台120使用会话加密密钥对初始敏感参数进行加密,生成加密敏感参数。当客户端110不具有参数使用权限时,参数服务平台120返回参数获取错误消息至客户端110。In a specific implementation, when the parameter service platform 120 generates the encrypted sensitive parameters for the parameter acquisition request, the parameter service platform 120 determines the user identity characteristics of the current client 110 user according to the parameter acquisition request, and the user identity characteristics include the user's position level, At least one of the user's confidentiality level and the user's entry time; then, the parameter service platform 120 determines whether the client has the parameter use authority according to the user's identity characteristics; when the client 110 has the parameter use authority, the parameter service platform 120 for the parameter Obtain the request and query the initial sensitive parameters in the server database according to the user identity characteristics; and obtain the session encryption key, wherein the session encryption key is only valid during the session between the current client and the parameter service platform. Then, the parameter service platform 120 encrypts the initial sensitive parameters using the session encryption key to generate encrypted sensitive parameters. When the client 110 does not have the right to use the parameters, the parameter service platform 120 returns a parameter acquisition error message to the client 110 .
本实施例的技术方案,参数服务平台通过根据参数获取请求,确定客户端的用户身份特征;并根据用户身份特征,判断客户端是否具有参数使用权限;当客户端具有参数使用权限时,才发送加密敏感参数;通过验证使用客户端的用户是否具有参数使用权限,提高了参数管理平台管控敏感参数的安全程度。In the technical solution of the present embodiment, the parameter service platform determines the user identity characteristics of the client according to the parameter acquisition request; and according to the user identity characteristics, determines whether the client has the parameter use authority; only when the client has the parameter use authority, the encrypted Sensitive parameters: By verifying whether the user using the client has the permission to use the parameters, the security of the parameter management platform to manage and control sensitive parameters is improved.
在另一个实施例中,获取会话加密密钥,包括:接收客户端的口令密钥获取请求;根据口令密钥获取请求,确定用户口令;根据用户口令,在预设的密钥映射表中查询是否存在会话加密密钥;若否,生成会话加密密钥,并写入会话加密密钥至密钥映射表;发送会话加密密钥至客户端。In another embodiment, acquiring the session encryption key includes: receiving a password key acquisition request from a client; determining a user password according to the password key acquisition request; and querying a preset key mapping table whether or not based on the user password The session encryption key exists; if not, generate the session encryption key, and write the session encryption key to the key mapping table; send the session encryption key to the client.
其中,密钥映射表可以是指根据用户口令与会话加密密钥的映射关系生成的数据表。The key mapping table may refer to a data table generated according to the mapping relationship between the user password and the session encryption key.
在实际应用中,参数服务平台120会将会话加密密钥以(token,key)的格式保存在参数服务平台120服务器的内存映射表中,并由参数服务平台120服务器管理会话加密密钥的有效期。In practical applications, the parameter service platform 120 will save the session encryption key in the format of (token, key) in the memory mapping table of the parameter service platform 120 server, and the parameter service platform 120 server will manage the validity period of the session encryption key .
具体实现中,参数服务平台120在获取会话加密密钥的过程中,参数服务平台120接收客户端的口令密钥获取请求;然后,参数服务平台120根据口令密钥获取请求,确定当前客户端110的用户口令,其中,用户口令可以由用户唯一的身份标识、当前时间的时间戳和签名组成。参数服务平台120根据用户口令,在预设的密钥映射表中查询是否存在会话加密密钥。In a specific implementation, when the parameter service platform 120 obtains the session encryption key, the parameter service platform 120 receives the password key obtaining request of the client; then, the parameter service platform 120 determines the current client 110 User password, where the user password can be composed of the user's unique identification, the timestamp of the current time, and the signature. The parameter service platform 120 inquires whether there is a session encryption key in the preset key mapping table according to the user password.
当在预设的密钥映射表中查询不到会话加密密钥时,参数服务平台120生成会话加密密钥,并写入会话加密密钥至密钥映射表;最后,发送会话加密密钥至客户端110。When the session encryption key cannot be queried in the preset key mapping table, the parameter service platform 120 generates the session encryption key, and writes the session encryption key to the key mapping table; finally, sends the session encryption key to Client 110.
当在预设的密钥映射表中查询到会话加密密钥时,参数服务平台120直接发送会话加密密钥至客户端110。另外,当会话加密密钥过期时,参数服务平台120会重新生成会话加密密钥,并写入会话加密密钥至密钥映射表。When the session encryption key is found in the preset key mapping table, the parameter service platform 120 directly sends the session encryption key to the client 110 . In addition, when the session encryption key expires, the parameter service platform 120 will regenerate the session encryption key, and write the session encryption key to the key mapping table.
本实施例的技术方案,通过使用在当前客户端与参数服务平台所处的会话期内生效的会话加密密钥对敏感参数进行加密和解密,保障了客户端与参数服务平台之间通讯会话的安全性,从而可以避免敏感参数遭到不法分子的劫持破解而遭到泄露。In the technical solution of this embodiment, the sensitive parameters are encrypted and decrypted by using the session encryption key that takes effect during the session between the current client and the parameter service platform, thereby ensuring the communication session between the client and the parameter service platform. Security, so that sensitive parameters can be prevented from being hijacked and cracked by criminals and leaked.
在另一个实施例中,查询针对参数获取请求的初始敏感参数,包括:根据参数获取请求,查询初始加密参数;获取平台密钥,并使用平台密钥对初始加密参数进行解密,得到初始敏感参数。In another embodiment, querying the initial sensitive parameters for the parameter acquisition request includes: querying the initial encryption parameters according to the parameter acquisition request; acquiring a platform key, and using the platform key to decrypt the initial encryption parameters to obtain the initial sensitive parameters .
其中,平台密钥可以是指仅供参数服务平台进行使用的加密密钥。The platform key may refer to an encryption key that is only used by the parameter service platform.
其中,初始加密参数可以是指经过平台密钥加密的初始敏感参数。Wherein, the initial encryption parameter may refer to the initial sensitive parameter encrypted by the platform key.
具体实现中,参数服务平台120的服务器数据库中预先存放有经过平台密钥加密的初始敏感参数,即初始加密参数。在服务器数据库中查询针对参数获取请求的初始敏感参数的过程中,参数服务平台120首先要在参数服务平台120的服务器数据库中,根据参数获取请求查询初始加密参数;然后,获取平台密钥,并使用平台密钥对初始加密参数进行解密,得到初始敏感参数。In a specific implementation, the server database of the parameter service platform 120 stores in advance the initial sensitive parameters encrypted by the platform key, that is, the initial encrypted parameters. In the process of querying the initial sensitive parameters for the parameter obtaining request in the server database, the parameter service platform 120 firstly needs to query the initial encryption parameters in the server database of the parameter service platform 120 according to the parameter obtaining request; then, obtain the platform key, and Decrypt the initial encrypted parameters using the platform key to obtain the initial sensitive parameters.
本实施例的技术方案,的服务器数据库中预先存放有经过平台密钥加密的初始加密参数,当客户端需要使用敏感参数时,再使用平台密钥对初始加密参数进行解密,得到初始敏感参数。实现了参数服务平台对敏感参数的加密保存,提高参数服务平台管理和存放敏感参数的安全程度。In the technical solution of this embodiment, the initial encryption parameters encrypted by the platform key are pre-stored in the server database, and when the client needs to use the sensitive parameters, the initial encryption parameters are decrypted using the platform key to obtain the initial sensitive parameters. The encryption and storage of sensitive parameters by the parameter service platform is realized, and the security degree of the management and storage of sensitive parameters by the parameter service platform is improved.
应该理解的是,虽然图2和图3的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,这些步骤可以以其它的顺序执行。而且,图2和图3中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,这些子步骤或者阶段的执行顺序也不必然是依次进行,而是可以与其它步骤或者其它步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the respective steps in the flowcharts of FIG. 2 and FIG. 3 are shown in sequence according to the arrows, these steps are not necessarily executed in the sequence shown by the arrows. Unless explicitly stated herein, the execution of these steps is not strictly limited to the order, and these steps may be performed in other orders. Moreover, at least a part of the steps in FIG. 2 and FIG. 3 may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily executed at the same time, but may be executed at different times. These sub-steps or The order of execution of the stages is also not necessarily sequential, but may be performed alternately or alternately with other steps or sub-steps of other steps or at least a portion of a stage.
在一个实施例中,提供了一种加密敏感参数的处理系统,系统包括:客户端和参数服务平台;In one embodiment, a processing system for encrypting sensitive parameters is provided, the system includes: a client and a parameter service platform;
客户端,用于发送参数获取请求至参数服务平台;还用于接收参数服务平台的加密敏感参数,将加密敏感参数写入客户端的本地内存中;解密加密敏感参数,得到解密敏感参数;根据解密敏感参数进行业务操作;当业务操作执行完毕时,从客户端的本地内存中销毁解密敏感参数和加密敏感参数;The client is used to send the parameter acquisition request to the parameter service platform; it is also used to receive the encrypted sensitive parameters of the parameter service platform, and write the encrypted sensitive parameters into the local memory of the client; decrypt the encrypted sensitive parameters to obtain the decrypted sensitive parameters; Sensitive parameters are used for business operations; when the business operations are completed, the decryption sensitive parameters and encryption sensitive parameters are destroyed from the local memory of the client;
参数服务平台,用于接收客户端的参数获取请求;生成针对参数获取请求的加密敏感参数;发送加密敏感参数。The parameter service platform is used to receive the parameter acquisition request of the client; generate encrypted sensitive parameters for the parameter acquisition request; send encrypted sensitive parameters.
关于一种加密敏感参数的处理系统的具体限定可以参见上文中对于一种加密敏感参数的处理方法的限定,在此不再赘述。For a specific definition of a system for processing an encrypted sensitive parameter, reference may be made to the above definition of a method for processing an encrypted sensitive parameter, which will not be repeated here.
在一个实施例中,如图4所示,提供了一种加密敏感参数的处理装置,包括:In one embodiment, as shown in FIG. 4, a processing apparatus for encrypting sensitive parameters is provided, including:
写入模块410,用于接收参数服务平台的加密敏感参数,将所述加密敏感参数写入客户端的本地内存中;The writing module 410 is used for receiving encrypted sensitive parameters of the parameter service platform, and writing the encrypted sensitive parameters into the local memory of the client;
解密模块420,用于解密所述加密敏感参数,得到解密敏感参数;a decryption module 420, configured to decrypt the encrypted sensitive parameter to obtain the decrypted sensitive parameter;
操作模块430,用于根据所述解密敏感参数进行业务操作;an operation module 430, configured to perform business operations according to the decryption sensitive parameters;
销毁模块440,用于当业务操作执行完毕时,从所述客户端的本地内存中销毁所述解密敏感参数和所述加密敏感参数。The destruction module 440 is configured to destroy the decryption sensitive parameter and the encryption sensitive parameter from the local memory of the client when the business operation is completed.
在一个实施例中,所述解密敏感参数包括登录账号、登录密码和业务系统的网页访问地址中的至少一种;上述的操作模块430,包括:访问子模块,用于根据所述网页访问地址,访问所述业务系统;登录子模块,用于执行机器人模拟登录操作;所述机器人模拟登录操作用于使用所述登录账号和所述登录密码,登录所述业务系统。In one embodiment, the decryption sensitive parameter includes at least one of a login account, a login password, and a web page access address of the business system; the above-mentioned operation module 430 includes: an access sub-module for accessing the web page according to the web page access address. , access the business system; a login sub-module is used to perform a robot simulated login operation; the robot simulated login operation is used to log in to the business system using the login account and the login password.
在一个实施例中,上述的解密模块420,包括:请求获取子模块,用于获取口令密钥获取请求,并发送所述口令密钥获取请求至所述参数服务平台;密钥接收子模块,用于接收针对所述口令密钥获取请求的会话加密密钥;解密子模块,用于使用所述会话加密密钥对所述加密敏感参数进行解密,生成所述解密敏感参数。In one embodiment, the above-mentioned decryption module 420 includes: a request acquisition submodule, configured to acquire a password key acquisition request, and send the password key acquisition request to the parameter service platform; a key reception submodule, A session encryption key for receiving the password key acquisition request; a decryption submodule for decrypting the encryption sensitive parameter by using the session encryption key to generate the decryption sensitive parameter.
在一个实施例中,上述的请求获取子模块,包括:发送单元,用于发送口令获取请求至所述参数服务平台;接收单元,用于接收针对所述口令获取请求的用户口令;生成单元,用于根据所述用户口令,生成所述口令密钥获取请求。In one embodiment, the above request acquisition sub-module includes: a sending unit, configured to send a password acquisition request to the parameter service platform; a receiving unit, configured to receive a user password for the password acquisition request; a generating unit, is configured to generate the password key acquisition request according to the user password.
在一个实施例中,上述的写入模块410,包括:发送子模块,用于发送参数获取请求至所述参数服务平台;所述参数获取请求用于供所述参数服务平台确定所述客户端的用户身份特征;所述用户身份特征用于供所述参数服务平台确定针对所述客户端的加密敏感参数;参数接收子模块,用于接收针对所述参数获取请求的所述加密敏感参数。In one embodiment, the above-mentioned writing module 410 includes: a sending sub-module for sending a parameter acquisition request to the parameter service platform; the parameter acquisition request is used for the parameter service platform to determine the client's User identity feature; the user identity feature is used for the parameter service platform to determine the encryption sensitive parameter for the client; a parameter receiving submodule is used for receiving the encryption sensitive parameter for the parameter acquisition request.
关于一种加密敏感参数的处理装置的具体限定可以参见上文中对于一种加密敏感参数的处理方法的限定,在此不再赘述。上述一种加密敏感参数的处理装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。For the specific definition of an apparatus for processing an encrypted sensitive parameter, reference may be made to the above definition of a method for processing an encrypted sensitive parameter, which will not be repeated here. Each module in the above-mentioned processing device for encrypting sensitive parameters can be implemented in whole or in part by software, hardware and combinations thereof. The above modules can be embedded in or independent of the processor in the computer device in the form of hardware, or stored in the memory in the computer device in the form of software, so that the processor can call and execute the operations corresponding to the above modules.
在一个实施例中,如图5所示,提供了一种加密敏感参数的发送装置,包括:In one embodiment, as shown in FIG. 5, a device for sending encrypted sensitive parameters is provided, including:
接收模块510,用于接收客户端的参数获取请求;A receiving module 510, configured to receive a parameter acquisition request from the client;
生成模块520,用于生成针对所述参数获取请求的加密敏感参数;a generating module 520, configured to generate encrypted sensitive parameters for the parameter acquisition request;
发送模块530,用于发送所述加密敏感参数;所述加密敏感参数用于供所述客户端接收,并将所述加密敏感参数写入所述客户端的本地内存中;所述加密敏感参数还用于供所述客户端解密,得到解密敏感参数;所述解密敏感参数用于供所述客户端进行业务操作;当业务操作执行完毕时,所述客户端从所述本地内存中销毁所述解密敏感参数和所述加密敏感参数。A sending module 530 is configured to send the encrypted sensitive parameter; the encrypted sensitive parameter is used for the client to receive, and the encrypted sensitive parameter is written into the local memory of the client; the encrypted sensitive parameter is also It is used for decryption by the client to obtain decryption sensitive parameters; the decryption sensitive parameters are used for the client to perform business operations; when the business operations are completed, the client destroys the Decrypt the sensitive parameter and the encrypted sensitive parameter.
在一个实施例中,上述的生成模块520,包括:确定子模块,用于根据所述参数获取请求,确定所述客户端的用户身份特征;所述用户身份特征包括用户职位等级、用户涉密等级和用户入职时长中的至少一种;判断子模块,用于根据所述用户身份特征,判断所述客户端是否具有参数使用权限;查询子模块,用于若是,则查询针对所述参数获取请求的初始敏感参数;获取子模块,用于获取会话加密密钥,并使用所述会话加密密钥对所述初始敏感参数进行加密,生成所述加密敏感参数。In one embodiment, the above-mentioned generation module 520 includes: a determination sub-module, configured to determine the user identity feature of the client according to the parameter acquisition request; the user identity feature includes the user's position level, the user's secret level and at least one of the user's entry time; the judgment sub-module is used to judge whether the client has the parameter use authority according to the user's identity characteristics; the query sub-module is used to query the parameter acquisition request if it is the initial sensitive parameter; the acquisition submodule is used to acquire the session encryption key, and use the session encryption key to encrypt the initial sensitive parameter to generate the encrypted sensitive parameter.
在一个实施例中,上述的获取子模块,包括:接收单元,用于接收所述客户端的口令密钥获取请求;确定单元,用于根据所述口令密钥获取请求,确定用户口令;第一查询单元,用于根据所述用户口令,在预设的密钥映射表中查询是否存在所述会话加密密钥;写入单元,用于若否,生成所述会话加密密钥,并写入所述会话加密密钥至所述密钥映射表;发送单元,用于发送所述会话加密密钥至所述客户端。In one embodiment, the above obtaining sub-module includes: a receiving unit, configured to receive a password key obtaining request from the client; a determining unit, configured to determine the user password according to the password key obtaining request; a first a query unit, configured to query whether the session encryption key exists in a preset key mapping table according to the user password; a writing unit, configured to generate the session encryption key if not, and write the session encryption key to the key mapping table; a sending unit, configured to send the session encryption key to the client.
在一个实施例中,上述的查询子模块,包括:第二查询单元,用于根据所述参数获取请求,查询初始加密参数;密钥获取单元,用于获取平台密钥,并使用所述平台密钥对所述初始加密参数进行解密,得到所述初始敏感参数。In one embodiment, the above query sub-module includes: a second query unit for querying initial encryption parameters according to the parameter acquisition request; a key acquisition unit for acquiring a platform key and using the platform The key decrypts the initial encryption parameter to obtain the initial sensitive parameter.
关于一种加密敏感参数的发送装置的具体限定可以参见上文中对于一种加密敏感参数的发送方法的限定,在此不再赘述。上述一种加密敏感参数的发送装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。For the specific limitation of an apparatus for sending encrypted sensitive parameters, reference may be made to the above limitation on a method for sending encrypted sensitive parameters, which will not be repeated here. Each module in the above-mentioned device for sending encrypted sensitive parameters can be implemented in whole or in part by software, hardware and combinations thereof. The above modules can be embedded in or independent of the processor in the computer device in the form of hardware, or stored in the memory in the computer device in the form of software, so that the processor can call and execute the operations corresponding to the above modules.
在一个实施例中,为了便于本领域技术人员的理解,如图6所示,提供了一种加密敏感参数的处理系统的时序图;其中,In one embodiment, in order to facilitate the understanding of those skilled in the art, as shown in FIG. 6, a sequence diagram of a processing system for encrypting sensitive parameters is provided; wherein,
当用户登录客户端110时,参数服务平台120生成用户口令(token,令牌),并将用户口令返回至客户端110。When the user logs in to the client 110 , the parameter service platform 120 generates a user password (token, token), and returns the user password to the client 110 .
当客户端110向参数服务平台120请求会话加密密钥时,参数服务平台120根据用户口令,查询是否存在有效的会话加密密钥。若不存在或会话加密密钥过期,参数服务平台120生成会话加密密钥,并写入会话加密密钥至密钥映射表;最后,发送会话加密密钥至客户端110。When the client 110 requests the parameter service platform 120 for a session encryption key, the parameter service platform 120 inquires whether there is a valid session encryption key according to the user password. If the session encryption key does not exist or the session encryption key expires, the parameter service platform 120 generates the session encryption key, and writes the session encryption key to the key mapping table; finally, sends the session encryption key to the client 110 .
当客户端110请求参数服务平台120的敏感参数时,参数服务平台120判断客户端是否具有参数使用权限;若具有参数使用权限,参数服务平台120在参数服务平台120的服务器数据库中,根据参数获取请求查询初始加密参数;然后,获取平台密钥,并使用平台密钥对初始加密参数进行解密,得到初始敏感参数。参数服务平台120使用会话加密密钥对初始敏感参数进行加密,生成加密敏感参数。When the client 110 requests the sensitive parameters of the parameter service platform 120, the parameter service platform 120 determines whether the client has the parameter use authority; Request to query the initial encryption parameters; then, obtain the platform key, and use the platform key to decrypt the initial encryption parameters to obtain the initial sensitive parameters. The parameter service platform 120 encrypts the initial sensitive parameter using the session encryption key to generate the encrypted sensitive parameter.
当客户端110不具有参数使用权限时,参数服务平台120返回参数获取错误消息至客户端110。When the client 110 does not have the right to use the parameters, the parameter service platform 120 returns a parameter acquisition error message to the client 110 .
参数服务平台120发送加密敏感参数至客户端110。客户端110接收参数服务平台的加密敏感参数,并将该加密敏感参数写入客户端110的本地内存中。然后,客户端110根据该加密敏感参数,获取该加密敏感参数对应的解密密钥,并使用该解密密钥对加密敏感参数进行解密,得到解密敏感参数。The parameter service platform 120 sends encrypted sensitive parameters to the client 110 . The client 110 receives the encrypted sensitive parameter of the parameter service platform, and writes the encrypted sensitive parameter into the local memory of the client 110 . Then, the client 110 obtains the decryption key corresponding to the encryption sensitive parameter according to the encryption sensitive parameter, and uses the decryption key to decrypt the encryption sensitive parameter to obtain the decryption sensitive parameter.
然后,客户端110根据该解密敏感参数,进行业务操作,例如,执行自动登录财务系统、执行自动审核财务信息等一系列业务操作。当业务操作执行完毕时,客户端110销毁储存在本地内存中的解密敏感参数和加密敏感参数。Then, the client 110 performs business operations according to the decrypted sensitive parameters, for example, performs a series of business operations such as automatically logging in to the financial system and performing automatic auditing of financial information. When the business operation is completed, the client 110 destroys the decryption-sensitive parameters and encryption-sensitive parameters stored in the local memory.
在一个实施例中,提供了一种计算机设备,该计算机设备可以是服务器,其内部结构图可以如图7所示。该计算机设备包括通过系统总线连接的处理器、存储器、网络接口和数据库。其中,该计算机设备的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作系统、计算机程序和数据库。该内存储器为非易失性存储介质中的操作系统和计算机程序的运行提供环境。该计算机设备的数据库用于存储加密敏感参数和解密敏感参数数据。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机程序被处理器执行时以实现一种加密敏感参数的处理方法和一种加密敏感参数的发送方法。In one embodiment, a computer device is provided, and the computer device can be a server, and its internal structure diagram can be as shown in FIG. 7 . The computer device includes a processor, memory, a network interface, and a database connected by a system bus. Among them, the processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium, an internal memory. The nonvolatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the execution of the operating system and computer programs in the non-volatile storage medium. The computer device's database is used to store encrypted sensitive parameters and decrypted sensitive parameter data. The network interface of the computer device is used to communicate with an external terminal through a network connection. When the computer program is executed by the processor, it implements a method for processing encrypted sensitive parameters and a method for sending encrypted sensitive parameters.
本领域技术人员可以理解,图7中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的计算机设备的限定,具体的计算机设备可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。Those skilled in the art can understand that the structure shown in FIG. 7 is only a block diagram of a partial structure related to the solution of the present application, and does not constitute a limitation on the computer equipment to which the solution of the present application is applied. Include more or fewer components than shown in the figures, or combine certain components, or have a different arrangement of components.
在一个实施例中,提供了一种计算机设备,包括存储器和处理器,存储器中存储有计算机程序,该处理器执行计算机程序时实现以下步骤:In one embodiment, a computer device is provided, including a memory and a processor, a computer program is stored in the memory, and the processor implements the following steps when executing the computer program:
步骤210,接收参数服务平台的加密敏感参数,将所述加密敏感参数写入客户端的本地内存中;Step 210, receiving encrypted sensitive parameters of the parameter service platform, and writing the encrypted sensitive parameters into the local memory of the client;
步骤220,解密所述加密敏感参数,得到解密敏感参数;Step 220, decrypt the encrypted sensitive parameter to obtain the decrypted sensitive parameter;
步骤230,根据所述解密敏感参数进行业务操作;Step 230, performing a business operation according to the decryption sensitive parameter;
步骤240,当业务操作执行完毕时,从所述客户端的本地内存中销毁所述解密敏感参数和所述加密敏感参数。Step 240: Destroy the decryption sensitive parameter and the encryption sensitive parameter from the local memory of the client when the service operation is completed.
在一个实施例中,处理器执行计算机程序时还实现以下步骤;根据所述网页访问地址,访问所述业务系统;执行机器人模拟登录操作;所述机器人模拟登录操作用于使用所述登录账号和所述登录密码,登录所述业务系统。In one embodiment, the processor further implements the following steps when executing the computer program: accessing the business system according to the webpage access address; executing a robot simulated login operation; the robot simulated login operation is used to use the login account and The login password is used to log in to the business system.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:获取口令密钥获取请求,并发送所述口令密钥获取请求至所述参数服务平台;接收针对所述口令密钥获取请求的会话加密密钥;使用所述会话加密密钥对所述加密敏感参数进行解密,生成所述解密敏感参数。In one embodiment, the processor further implements the following steps when executing the computer program: acquiring a password key acquisition request, and sending the password key acquisition request to the parameter service platform; receiving a request for the password key acquisition session encryption key; decrypt the encryption sensitive parameter by using the session encryption key to generate the decryption sensitive parameter.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:发送口令获取请求至所述参数服务平台;接收针对所述口令获取请求的用户口令;根据所述用户口令,生成所述口令密钥获取请求。In one embodiment, the processor further implements the following steps when executing the computer program: sending a password acquisition request to the parameter service platform; receiving a user password for the password acquisition request; generating the password password according to the user password key acquisition request.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:发送参数获取请求至所述参数服务平台;所述参数获取请求用于供所述参数服务平台确定所述客户端的用户身份特征;所述用户身份特征用于供所述参数服务平台确定针对所述客户端的加密敏感参数;接收针对所述参数获取请求的所述加密敏感参数。In one embodiment, the processor further implements the following steps when executing the computer program: sending a parameter acquisition request to the parameter service platform; the parameter acquisition request is used for the parameter service platform to determine the user identity feature of the client; The user identity feature is used for the parameter service platform to determine the encryption-sensitive parameter for the client; and the encryption-sensitive parameter for the parameter acquisition request is received.
在一个实施例中,提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现以下步骤:In one embodiment, a computer-readable storage medium is provided on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
步骤210,接收参数服务平台的加密敏感参数,将所述加密敏感参数写入客户端的本地内存中;Step 210, receiving encrypted sensitive parameters of the parameter service platform, and writing the encrypted sensitive parameters into the local memory of the client;
步骤220,解密所述加密敏感参数,得到解密敏感参数;Step 220, decrypt the encrypted sensitive parameter to obtain the decrypted sensitive parameter;
步骤230,根据所述解密敏感参数进行业务操作;Step 230, performing a business operation according to the decryption sensitive parameter;
步骤240,当业务操作执行完毕时,从所述客户端的本地内存中销毁所述解密敏感参数和所述加密敏感参数。Step 240: Destroy the decryption sensitive parameter and the encryption sensitive parameter from the local memory of the client when the service operation is completed.
在一个实施例中,计算机程序被处理器执行时还实现以下步骤;根据所述网页访问地址,访问所述业务系统;执行机器人模拟登录操作;所述机器人模拟登录操作用于使用所述登录账号和所述登录密码,登录所述业务系统。In one embodiment, when the computer program is executed by the processor, the following steps are further implemented: accessing the business system according to the webpage access address; executing a robot simulated login operation; the robot simulated login operation is used for using the login account and the login password to log in to the business system.
在一个实施例中,计算机程序被处理器执行时还实现以下步骤:获取口令密钥获取请求,并发送所述口令密钥获取请求至所述参数服务平台;接收针对所述口令密钥获取请求的会话加密密钥;使用所述会话加密密钥对所述加密敏感参数进行解密,生成所述解密敏感参数。In one embodiment, the computer program further implements the following steps when executed by the processor: acquiring a password key acquisition request, and sending the password key acquisition request to the parameter service platform; receiving a password key acquisition request for the password key the session encryption key; decrypt the encryption sensitive parameter by using the session encryption key to generate the decryption sensitive parameter.
在一个实施例中,计算机程序被处理器执行时还实现以下步骤:发送口令获取请求至所述参数服务平台;接收针对所述口令获取请求的用户口令;根据所述用户口令,生成所述口令密钥获取请求。In one embodiment, the computer program further implements the following steps when executed by the processor: sending a password acquisition request to the parameter service platform; receiving a user password for the password acquisition request; generating the password according to the user password Key get request.
在一个实施例中,计算机程序被处理器执行时还实现以下步骤:发送参数获取请求至所述参数服务平台;所述参数获取请求用于供所述参数服务平台确定所述客户端的用户身份特征;所述用户身份特征用于供所述参数服务平台确定针对所述客户端的加密敏感参数;接收针对所述参数获取请求的所述加密敏感参数。In one embodiment, the computer program further implements the following steps when executed by the processor: sending a parameter acquisition request to the parameter service platform; the parameter acquisition request is used for the parameter service platform to determine the user identity feature of the client ; the user identity feature is used for the parameter service platform to determine the encryption-sensitive parameter for the client; and the encryption-sensitive parameter for the parameter acquisition request is received.
在一个实施例中,提供了一种计算机设备,包括存储器和处理器,存储器中存储有计算机程序,该处理器执行计算机程序时实现以下步骤:In one embodiment, a computer device is provided, including a memory and a processor, a computer program is stored in the memory, and the processor implements the following steps when executing the computer program:
步骤310,接收客户端的参数获取请求;Step 310, receiving a parameter acquisition request from the client;
步骤320,生成针对所述参数获取请求的加密敏感参数;Step 320, generating encrypted sensitive parameters for the parameter acquisition request;
步骤330,发送所述加密敏感参数;所述加密敏感参数用于供所述客户端接收,并将所述加密敏感参数写入所述客户端的本地内存中;所述加密敏感参数还用于供所述客户端解密,得到解密敏感参数;所述解密敏感参数用于供所述客户端进行业务操作;当业务操作执行完毕时,所述客户端从所述本地内存中销毁所述解密敏感参数和所述加密敏感参数。Step 330: Send the encrypted sensitive parameter; the encrypted sensitive parameter is used for the client to receive, and the encrypted sensitive parameter is written into the local memory of the client; the encrypted sensitive parameter is also used for The client decrypts to obtain decryption sensitive parameters; the decryption sensitive parameters are used for the client to perform business operations; when the business operations are completed, the client destroys the decryption sensitive parameters from the local memory and the encryption sensitive parameters.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:根据所述参数获取请求,确定所述客户端的用户身份特征;所述用户身份特征包括用户职位等级、用户涉密等级和用户入职时长中的至少一种;根据所述用户身份特征,判断所述客户端是否具有参数使用权限;若是,则查询针对所述参数获取请求的初始敏感参数;获取会话加密密钥,并使用所述会话加密密钥对所述初始敏感参数进行加密,生成所述加密敏感参数。In one embodiment, the processor further implements the following steps when executing the computer program: determining the user identity feature of the client according to the parameter acquisition request; the user identity feature includes the user's position level, the user's confidentiality level, and the user's onboarding at least one of the duration; according to the user identity feature, determine whether the client has the right to use the parameter; if so, query the initial sensitive parameter for the parameter acquisition request; obtain the session encryption key, and use the The session encryption key encrypts the initial sensitive parameter to generate the encrypted sensitive parameter.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:接收所述客户端的口令密钥获取请求;根据所述口令密钥获取请求,确定用户口令;根据所述用户口令,在预设的密钥映射表中查询是否存在所述会话加密密钥;若否,生成所述会话加密密钥,并写入所述会话加密密钥至所述密钥映射表;发送所述会话加密密钥至所述客户端。In one embodiment, the processor further implements the following steps when executing the computer program: receiving a password key acquisition request from the client; determining a user password according to the password key acquisition request; Query whether the session encryption key exists in the key mapping table of the key to the client.
在一个实施例中,处理器执行计算机程序时还实现以下步骤:根据所述参数获取请求,查询初始加密参数;获取平台密钥,并使用所述平台密钥对所述初始加密参数进行解密,得到所述初始敏感参数。In one embodiment, the processor further implements the following steps when executing the computer program: querying initial encryption parameters according to the parameter acquisition request; acquiring a platform key, and using the platform key to decrypt the initial encryption parameters, The initial sensitive parameters are obtained.
在一个实施例中,提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现以下步骤:In one embodiment, a computer-readable storage medium is provided on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
步骤310,接收客户端的参数获取请求;Step 310, receiving a parameter acquisition request from the client;
步骤320,生成针对所述参数获取请求的加密敏感参数;Step 320, generating encrypted sensitive parameters for the parameter acquisition request;
步骤330,发送所述加密敏感参数;所述加密敏感参数用于供所述客户端接收,并将所述加密敏感参数写入所述客户端的本地内存中;所述加密敏感参数还用于供所述客户端解密,得到解密敏感参数;所述解密敏感参数用于供所述客户端进行业务操作;当业务操作执行完毕时,所述客户端从所述本地内存中销毁所述解密敏感参数和所述加密敏感参数。Step 330: Send the encrypted sensitive parameter; the encrypted sensitive parameter is used for the client to receive, and the encrypted sensitive parameter is written into the local memory of the client; the encrypted sensitive parameter is also used for The client decrypts to obtain decryption sensitive parameters; the decryption sensitive parameters are used for the client to perform business operations; when the business operations are completed, the client destroys the decryption sensitive parameters from the local memory and the encryption sensitive parameters.
在一个实施例中,计算机程序被处理器执行时还实现以下步骤:根据所述参数获取请求,确定所述客户端的用户身份特征;所述用户身份特征包括用户职位等级、用户涉密等级和用户入职时长中的至少一种;根据所述用户身份特征,判断所述客户端是否具有参数使用权限;若是,则查询针对所述参数获取请求的初始敏感参数;获取会话加密密钥,并使用所述会话加密密钥对所述初始敏感参数进行加密,生成所述加密敏感参数。In one embodiment, when the computer program is executed by the processor, the following steps are further implemented: according to the parameter acquisition request, determine the user identity feature of the client; the user identity feature includes the user's position level, the user's secret level and the user At least one of the length of entry; according to the user identity characteristics, determine whether the client has the permission to use the parameter; if so, query the initial sensitive parameter of the parameter acquisition request; obtain the session encryption key, and use the The session encryption key encrypts the initial sensitive parameter to generate the encrypted sensitive parameter.
在一个实施例中,计算机程序被处理器执行时还实现以下步骤:接收所述客户端的口令密钥获取请求;根据所述口令密钥获取请求,确定用户口令;根据所述用户口令,在预设的密钥映射表中查询是否存在所述会话加密密钥;若否,生成所述会话加密密钥,并写入所述会话加密密钥至所述密钥映射表;发送所述会话加密密钥至所述客户端。In one embodiment, when the computer program is executed by the processor, the following steps are further implemented: receiving a password key acquisition request from the client; determining a user password according to the password key acquisition request; Inquire whether the session encryption key exists in the set key mapping table; if not, generate the session encryption key, and write the session encryption key to the key mapping table; send the session encryption key key to the client.
在一个实施例中,计算机程序被处理器执行时还实现以下步骤:根据所述参数获取请求,查询初始加密参数;获取平台密钥,并使用所述平台密钥对所述初始加密参数进行解密,得到所述初始敏感参数。In one embodiment, when the computer program is executed by the processor, the following steps are further implemented: query the initial encryption parameters according to the parameter acquisition request; acquire a platform key, and use the platform key to decrypt the initial encryption parameters , to obtain the initial sensitive parameters.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一非易失性计算机可读取存储介质中,该计算机程序在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM以多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据率SDRAM(DDRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing relevant hardware through a computer program, and the computer program can be stored in a non-volatile computer-readable storage In the medium, when the computer program is executed, it may include the processes of the above-mentioned method embodiments. Wherein, any reference to memory, storage, database or other medium used in the various embodiments provided in this application may include non-volatile and/or volatile memory. Nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory may include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous chain Road (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.
以上实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above embodiments can be combined arbitrarily. In order to make the description simple, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features It is considered to be the range described in this specification.
以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above-mentioned embodiments only represent several embodiments of the present application, and the descriptions thereof are specific and detailed, but should not be construed as a limitation on the scope of the invention patent. It should be pointed out that for those skilled in the art, without departing from the concept of the present application, several modifications and improvements can be made, which all belong to the protection scope of the present application. Therefore, the scope of protection of the patent of the present application shall be subject to the appended claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910282983.5ACN110008727B (en) | 2019-04-10 | 2019-04-10 | Encryption sensitive parameter processing method and device, computer equipment and storage medium |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910282983.5ACN110008727B (en) | 2019-04-10 | 2019-04-10 | Encryption sensitive parameter processing method and device, computer equipment and storage medium |
| Publication Number | Publication Date |
|---|---|
| CN110008727Atrue CN110008727A (en) | 2019-07-12 |
| CN110008727B CN110008727B (en) | 2020-07-21 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910282983.5AActiveCN110008727B (en) | 2019-04-10 | 2019-04-10 | Encryption sensitive parameter processing method and device, computer equipment and storage medium |
| Country | Link |
|---|---|
| CN (1) | CN110008727B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111027047A (en)* | 2019-11-29 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Application program sensitive information control method and device, electronic equipment and storage medium |
| CN113778743A (en)* | 2020-09-16 | 2021-12-10 | 北京沃东天骏信息技术有限公司 | Method and apparatus for application degradation, electronic device, and medium |
| CN115955325A (en)* | 2022-10-26 | 2023-04-11 | 贝壳找房(北京)科技有限公司 | Information management and control method and system and electronic equipment |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0843928A2 (en)* | 1995-07-17 | 1998-05-27 | Roger E. Billings | Distributed data processing network |
| CN1753359A (en)* | 2004-09-24 | 2006-03-29 | 华为技术有限公司 | The method of realizing the transmission of SyncML synchronous data |
| CN101742508A (en)* | 2009-12-21 | 2010-06-16 | 中兴通讯股份有限公司 | System and method for transferring files between WAPI terminal and application server |
| CN101964793A (en)* | 2010-10-08 | 2011-02-02 | 上海银联电子支付服务有限公司 | Method and system for transmitting data between terminal and server and sign-in and payment method |
| CN105307165A (en)* | 2015-10-10 | 2016-02-03 | 中国民生银行股份有限公司 | Communication method based on mobile application, server and client |
| CN107566324A (en)* | 2016-06-30 | 2018-01-09 | 南京中兴新软件有限责任公司 | Encryption method, decryption method and device |
| CN108418785A (en)* | 2017-12-13 | 2018-08-17 | 平安科技(深圳)有限公司 | Password call method, server and storage medium |
| CN109347626A (en)* | 2018-09-03 | 2019-02-15 | 杭州电子科技大学 | A secure identity authentication method with anti-tracking feature |
| CN109409109A (en)* | 2018-10-17 | 2019-03-01 | 网易(杭州)网络有限公司 | Data processing method, device, processor and server in network service |
| CN109471844A (en)* | 2018-10-10 | 2019-03-15 | 深圳市达仁基因科技有限公司 | File sharing method, device, computer equipment and storage medium |
| CN109600730A (en)* | 2019-01-22 | 2019-04-09 | 苏州宏裕千智能设备科技有限公司 | A kind of collection control method and terminal of information |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0843928A2 (en)* | 1995-07-17 | 1998-05-27 | Roger E. Billings | Distributed data processing network |
| CN1753359A (en)* | 2004-09-24 | 2006-03-29 | 华为技术有限公司 | The method of realizing the transmission of SyncML synchronous data |
| CN101742508A (en)* | 2009-12-21 | 2010-06-16 | 中兴通讯股份有限公司 | System and method for transferring files between WAPI terminal and application server |
| CN101964793A (en)* | 2010-10-08 | 2011-02-02 | 上海银联电子支付服务有限公司 | Method and system for transmitting data between terminal and server and sign-in and payment method |
| CN105307165A (en)* | 2015-10-10 | 2016-02-03 | 中国民生银行股份有限公司 | Communication method based on mobile application, server and client |
| CN107566324A (en)* | 2016-06-30 | 2018-01-09 | 南京中兴新软件有限责任公司 | Encryption method, decryption method and device |
| CN108418785A (en)* | 2017-12-13 | 2018-08-17 | 平安科技(深圳)有限公司 | Password call method, server and storage medium |
| CN109347626A (en)* | 2018-09-03 | 2019-02-15 | 杭州电子科技大学 | A secure identity authentication method with anti-tracking feature |
| CN109471844A (en)* | 2018-10-10 | 2019-03-15 | 深圳市达仁基因科技有限公司 | File sharing method, device, computer equipment and storage medium |
| CN109409109A (en)* | 2018-10-17 | 2019-03-01 | 网易(杭州)网络有限公司 | Data processing method, device, processor and server in network service |
| CN109600730A (en)* | 2019-01-22 | 2019-04-09 | 苏州宏裕千智能设备科技有限公司 | A kind of collection control method and terminal of information |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111027047A (en)* | 2019-11-29 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Application program sensitive information control method and device, electronic equipment and storage medium |
| CN111027047B (en)* | 2019-11-29 | 2024-04-02 | 安天科技集团股份有限公司 | Application sensitive information management and control method and device, electronic equipment and storage medium |
| CN113778743A (en)* | 2020-09-16 | 2021-12-10 | 北京沃东天骏信息技术有限公司 | Method and apparatus for application degradation, electronic device, and medium |
| CN113778743B (en)* | 2020-09-16 | 2025-04-15 | 北京沃东天骏信息技术有限公司 | Method and device for application downgrade, electronic device, and medium |
| CN115955325A (en)* | 2022-10-26 | 2023-04-11 | 贝壳找房(北京)科技有限公司 | Information management and control method and system and electronic equipment |
| CN115955325B (en)* | 2022-10-26 | 2024-02-02 | 贝壳找房(北京)科技有限公司 | Information management and control method and system and electronic equipment |
| Publication number | Publication date |
|---|---|
| CN110008727B (en) | 2020-07-21 |
| Publication | Publication Date | Title |
|---|---|---|
| CN111488598A (en) | Access control method, device, computer equipment and storage medium | |
| US20200311309A1 (en) | Encryption techniques for cookie security | |
| WO2021003980A1 (en) | Blacklist sharing method and apparatus, computer device and storage medium | |
| US9219722B2 (en) | Unclonable ID based chip-to-chip communication | |
| WO2022142629A1 (en) | User data processing method and apparatus, computer device, and storage medium | |
| CN111241555B (en) | Access method and device for simulating user login, computer equipment and storage medium | |
| CN106850699A (en) | A kind of mobile terminal login authentication method and system | |
| CN109600377B (en) | Method and device for preventing unauthorized use computer device and storage medium | |
| JP2016510962A (en) | Encrypted network storage space | |
| CN109359977B (en) | Network communication method, device, computer equipment and storage medium | |
| US10257171B2 (en) | Server public key pinning by URL | |
| CN112528268B (en) | Cross-channel applet login management method and device and related equipment | |
| WO2021077790A1 (en) | Identity authentication method based on security chip, and device and medium | |
| CN112825520A (en) | User privacy data processing method, device, system and storage medium | |
| CN110008727B (en) | Encryption sensitive parameter processing method and device, computer equipment and storage medium | |
| CN109347813B (en) | Internet of things equipment login method and system, computer equipment and storage medium | |
| US20240193255A1 (en) | Systems and methods of protecting secrets in use with containerized applications | |
| CN114338091A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN112260997B (en) | Data access method, device, computer equipment and storage medium | |
| CN112836206B (en) | Login method, login device, storage medium and computer equipment | |
| CN114817957B (en) | Encrypted partition access control method, system and computing device based on domain management platform | |
| CN114679299A (en) | Communication protocol encryption method, device, computer equipment and storage medium | |
| CN110855656B (en) | Plug-in flow proxy method, device and system capable of realizing application server protection | |
| CN111783115A (en) | Data encryption storage method, device, electronic device and storage medium | |
| CN118395508A (en) | Log file tamper-proof detection method, device, system and medium |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information | Address after:511458 Room 1301, Chengtou Building, 106 Fengze East Road, Nansha District, Guangzhou City, Guangdong Province (self-compiled 1301-12159) Applicant after:Southern Power Grid Digital Grid Research Institute Co.,Ltd. Address before:511458 Room 1301, Chengtou Building, 106 Fengze East Road, Nansha District, Guangzhou City, Guangdong Province (self-compiled 1301-12159) Applicant before:DINGXIN INFORMATION TECHNOLOGY Co.,Ltd. | |
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address | Address after:Room 1301, Chengtou building, No. 106, Fengze East Road, Nansha District, Guangzhou City, Guangdong Province Patentee after:Southern Power Grid Digital Grid Research Institute Co.,Ltd. Country or region after:China Address before:Room 1301, Chengtou building, No. 106, Fengze East Road, Nansha District, Guangzhou City, Guangdong Province Patentee before:Southern Power Grid Digital Grid Research Institute Co.,Ltd. Country or region before:China | |
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right | Effective date of registration:20240912 Address after:Yunsheng Science Park, No. 11 Spectral Middle Road, Huangpu District, Guangzhou City, Guangdong Province, 510700 Patentee after:China Southern Power Grid Digital Enterprise Technology (Guangdong) Co.,Ltd. Country or region after:China Address before:Room 1301, Chengtou building, No. 106, Fengze East Road, Nansha District, Guangzhou City, Guangdong Province Patentee before:Southern Power Grid Digital Grid Research Institute Co.,Ltd. Country or region before:China | |
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address | Address after:510000 Guangdong Province, Guangzhou City, Huangpu District, Guangzhou Huiguang Spectrum Road No. 11 Yunseng Science Park Building 2 Unit 3 1601 Room Patentee after:China Southern Power Grid Data Platform and Security (Guangdong) Co., Ltd. Country or region after:China Address before:Room 509, No. 808 Dongfeng East Road, Yuexiu District, Guangzhou City, Guangdong Province Patentee before:China Southern Power Grid Digital Enterprise Technology (Guangdong) Co.,Ltd. Country or region before:China |