技术领域Technical field
本申请涉及网络安全技术领域,具体而言,涉及一种敏感操作的认证方法、装置、电子设备及存储介质。This application relates to the field of network security technology, specifically to an authentication method, device, electronic equipment and storage medium for sensitive operations.
背景技术Background technique
在安全产品系统开发过程中,会涉及到一些敏感操作,如重启服务、重启设备、关机设备、恢复出厂设置、修改网卡配置、登录白名单控制等。为了确保安全,系统通常会采用双因素身份验证的方式(2FA)验证用户该次的敏感操作,目前关于二次认证的实现手段多种多样,包括短信验证码、邮件验证码、用户密保问题、FIDO验证、TOTP动态验证码验证等。二次认证的实现方式都会面临用户短时间内进行多次敏感操作的问题,现有技术通过以下方式解决二次认证的问题:In the development process of security product systems, some sensitive operations will be involved, such as restarting services, restarting devices, shutting down devices, restoring factory settings, modifying network card configurations, logging into whitelist control, etc. In order to ensure security, the system usually uses two-factor authentication (2FA) to verify the user's sensitive operation. Currently, there are various ways to implement two-factor authentication, including SMS verification codes, email verification codes, and user password protection issues. , FIDO verification, TOTP dynamic verification code verification, etc. The implementation of secondary authentication will face the problem of users performing multiple sensitive operations in a short period of time. Existing technologies solve the problem of secondary authentication in the following ways:
第一种,首次敏感操作认证通过后,设置一段时间内有效的cookie,使用户在后续操作时无需重复认证,但是,这种方式无法应对敏感操作的分级问题,若采用不同级别敏感操纵方式,对于更细粒度的接口级操作,会存在cookie膨胀的问题。The first method is to set a cookie valid for a period of time after the first sensitive operation is authenticated, so that the user does not need to repeat the authentication in subsequent operations. However, this method cannot deal with the classification problem of sensitive operations. If different levels of sensitive operation methods are used, For more fine-grained interface-level operations, there will be a problem of cookie expansion.
第二种,首次敏感操作认证通过后,返回一次性认证码给客户端,客户端在真正业务操作时携带一次性认证码,且一次性认证码仅能使用一次,这种方式需要进行很多不必要的重复认证,会严重影响用户体验感。Second, after the first sensitive operation is authenticated, a one-time authentication code is returned to the client. The client carries the one-time authentication code during real business operations, and the one-time authentication code can only be used once. This method requires a lot of different operations. Necessary repeated authentication will seriously affect the user experience.
发明内容Contents of the invention
本申请实施例的目的在于提供一种敏感操作的认证方法、装置、电子设备及存储介质,可以提高对敏感操作的认证效率,提高认证准确率,避免多次重复认证,确保用户的资产安全,减少认证过程中的安全隐患,为用户提供更多安全保障。The purpose of the embodiments of this application is to provide an authentication method, device, electronic device and storage medium for sensitive operations, which can improve the authentication efficiency of sensitive operations, improve the accuracy of authentication, avoid multiple repeated authentications, and ensure the security of users' assets. Reduce security risks during the authentication process and provide users with more security protection.
第一方面,本申请实施例提供了一种敏感操作的认证方法,所述方法包括:In the first aspect, embodiments of the present application provide an authentication method for sensitive operations. The method includes:
获取用户的操作数据;Obtain the user's operation data;
根据预置的敏感操作集对所述操作数据进行敏感判定;Conduct sensitivity determination on the operation data according to the preset sensitive operation set;
在所述操作数据被判定为敏感操作数据的情况下,对所述敏感操作数据进行第一次认证,得到第一认证结果;When the operation data is determined to be sensitive operation data, perform a first authentication on the sensitive operation data to obtain a first authentication result;
在所述第一认证结果为不通过的情况下,调用二次认证接口对所述敏感操作数据进行第二次认证,得到第二认证结果;When the first authentication result is failed, call the secondary authentication interface to perform a second authentication on the sensitive operation data to obtain the second authentication result;
在所述第二认证结果为通过的情况下,调用所述操作数据对应的操作接口执行相应的用户操作。If the second authentication result is passed, the operation interface corresponding to the operation data is called to perform the corresponding user operation.
在上述实现过程中,根据敏感操作集对操作数据进行敏感判定后进行两次认证,可以提高对敏感操作的认证效率,提高认证准确率,避免多次重复认证,确保用户的资产安全,减少认证过程中的安全隐患,为用户提供更多安全保障。In the above implementation process, two authentications are performed after determining the sensitivity of the operation data according to the sensitive operation set, which can improve the authentication efficiency of sensitive operations, improve the authentication accuracy, avoid multiple repeated authentications, ensure the security of users' assets, and reduce the number of authentications. Potential safety hazards in the process are eliminated to provide users with more safety assurance.
进一步地,所述方法还包括:在所述操作数据被判定为正常操作数据的情况下,调用所述操作数据对应的操作接口执行相应的用户操作。Further, the method further includes: when the operation data is determined to be normal operation data, calling an operation interface corresponding to the operation data to perform a corresponding user operation.
在上述实现过程中,操作数据为正常操作数据时,直接执行操作数据对应的用户操作,可以节省时间,提高用户的体验感。In the above implementation process, when the operation data is normal operation data, directly executing the user operations corresponding to the operation data can save time and improve the user experience.
进一步地,所述根据预置的敏感操作集对所述操作数据进行敏感判定的步骤,包括:Further, the step of making a sensitivity determination on the operation data according to a preset sensitive operation set includes:
判断所述操作数据是否为所述敏感操作集中的敏感数据;Determine whether the operation data is sensitive data in the sensitive operation set;
若是,判定所述操作数据为敏感操作数据;If so, determine that the operation data is sensitive operation data;
若否,判定所述操作数据为正常操作数据。If not, the operation data is determined to be normal operation data.
在上述实现过程中,先对操作数据进行敏感判定,将操作数据进行区分,可以防止敏感数据直接被执行,能够提高安全性能,避免造成用户损失。In the above implementation process, the sensitivity of the operation data is first determined and the operation data is distinguished, which can prevent sensitive data from being directly executed, improve security performance, and avoid user losses.
进一步地,所述敏感操作集中的敏感数据包括严重敏感数据、高度敏感数据、中度敏感数据和低度敏感数据。Further, the sensitive data in the sensitive operation set includes severely sensitive data, highly sensitive data, moderately sensitive data and lowly sensitive data.
进一步地,所述对所述敏感操作数据进行第一次认证,得到第一认证结果的步骤,包括:Further, the step of performing the first authentication on the sensitive operation data and obtaining the first authentication result includes:
获取所述敏感操作数据对应的前端浏览数据;Obtain the front-end browsing data corresponding to the sensitive operation data;
对所述前端浏览数据依次进行认证数据存在性判定、认证数据有效性判定和敏感级别判定,得到所述第一认证结果。The front-end browsing data is sequentially subjected to authentication data existence determination, authentication data validity determination and sensitivity level determination to obtain the first authentication result.
在上述实现过程中,对前端浏览数据进行第一次认证,方便快速、准确地获知操作数据的初步认证情况,为后续第二次认证提供依据,可以缩短用户认证耗费的时间。In the above implementation process, the front-end browsing data is authenticated for the first time, so as to quickly and accurately obtain the preliminary authentication status of the operation data, provide a basis for the subsequent second authentication, and shorten the time spent on user authentication.
进一步地,所述对所述前端浏览数据依次进行认证数据存在性判定、认证数据有效性判定和敏感级别判定,得到所述第一认证结果的步骤,包括:Further, the step of sequentially performing authentication data existence determination, authentication data validity determination and sensitivity level determination on the front-end browsing data to obtain the first authentication result includes:
判断所述前端浏览数据中的存储空间中是否包含认证数据;Determine whether the storage space in the front-end browsing data contains authentication data;
若所述存储空间中不包含认证数据,判定所述第一认证结果为不通过;If the storage space does not contain authentication data, determine that the first authentication result is failed;
若所述存储空间中包含认证数据,则根据所述前端浏览数据中的第一认证信息判断所述认证数据是否有效;If the storage space contains authentication data, determine whether the authentication data is valid based on the first authentication information in the front-end browsing data;
若所述认证数据无效,判定所述第一认证结果为不通过;If the authentication data is invalid, determine the first authentication result as failed;
若所述认证数据有效,则根据所述前端浏览数据中的第一认证信息判断所述敏感操作数据对应的敏感级别是否适用;If the authentication data is valid, determine whether the sensitivity level corresponding to the sensitive operation data is applicable based on the first authentication information in the front-end browsing data;
若所述敏感级别不适用,判定所述第一认证结果为不通过;If the sensitivity level is not applicable, determine the first authentication result as failed;
若所述敏感级别适用,判定所述第一认证结果为通过。If the sensitivity level is applicable, the first authentication result is determined to be passed.
在上述实现过程中,根据前端浏览数据进行认证数据存在性判定、认证数据有效性判定和敏感级别判定,可以准确、合理地实现对敏感操作数据的第一次认证,使得到的认证结果更加准确。In the above implementation process, the authentication data existence determination, authentication data validity determination and sensitivity level determination are carried out based on the front-end browsing data, which can accurately and reasonably realize the first authentication of sensitive operation data, making the authentication results more accurate. .
进一步地,所述判断所述前端浏览数据中的存储空间中是否包含认证数据的步骤,包括:Further, the step of determining whether the storage space in the front-end browsing data contains authentication data includes:
从所述存储空间中获取敏感级别键值对;Obtain sensitivity level key-value pairs from the storage space;
判断所述敏感级别键值对的值是否为空;Determine whether the value of the sensitive level key-value pair is empty;
若是,判定所述存储空间中不包含认证数据;If so, determine that the storage space does not contain authentication data;
若否,判断所述敏感级别键值对对应的数据格式是否为预设数据格式,若所述数据格式符合预设数据格式,判定所述存储空间中包含认证数据,若所述数据格式不符合预设数据格式,判定所述存储空间中不包含认证数据。If not, determine whether the data format corresponding to the sensitive level key-value pair is a preset data format. If the data format conforms to the preset data format, determine whether the storage space contains authentication data. If the data format does not conform to the The data format is preset and it is determined that the storage space does not contain authentication data.
在上述实现过程中,根据敏感级别键值对对应的数据格式判断存储空间是否包含认证数据,可以在不知道认证数据的具体内容的情况下,快速、准确地对认证数据的存在性进行判定,提高认证效率。In the above implementation process, whether the storage space contains authentication data is determined based on the data format corresponding to the sensitive level key-value pair. The existence of the authentication data can be quickly and accurately determined without knowing the specific content of the authentication data. Improve authentication efficiency.
进一步地,所述根据所述前端浏览数据中的第一认证信息判断所述认证数据是否有效的步骤,包括:Further, the step of determining whether the authentication data is valid based on the first authentication information in the front-end browsing data includes:
对所述前端浏览数据中的第一认证信息进行解码操作,得到有效载荷;Perform a decoding operation on the first authentication information in the front-end browsing data to obtain a payload;
判断所述有效载荷中的过期时间字段是否大于阈值;Determine whether the expiration time field in the payload is greater than a threshold;
若是,判定所述认证数据有效;If so, determine that the authentication data is valid;
若否,判定所述认证数据无效。If not, the authentication data is determined to be invalid.
在上述实现过程中,根据有效载荷中的过期时间字段判断认证数据是否有效,能够节约对认证数据的解析过程,并及时获得认证数据的失效时间,保护用户的操作安全。In the above implementation process, judging whether the authentication data is valid based on the expiration time field in the payload can save the parsing process of the authentication data, obtain the expiration time of the authentication data in time, and protect the user's operational security.
进一步地,所述根据所述前端浏览数据中的第一认证信息判断所述敏感操作数据对应的敏感级别是否适用的步骤,包括:Further, the step of determining whether the sensitivity level corresponding to the sensitive operation data is applicable based on the first authentication information in the front-end browsing data includes:
判断所述有效载荷中的敏感数组是否包含敏感操作数据对应的敏感级别;Determine whether the sensitive array in the payload contains the sensitivity level corresponding to the sensitive operation data;
若是,判定所述敏感操作数据对应的敏感级别适用;If so, determine that the sensitivity level corresponding to the sensitive operation data is applicable;
若否,判定所述敏感操作数据对应的敏感级别不适用。If not, it is determined that the sensitivity level corresponding to the sensitive operation data is not applicable.
在上述实现过程中,判断敏感操作数据对应的敏感级别是否适用,可以使得用户的操作在合适、安全的操作环境下进行,避免用户的操作过程存在安全隐患。In the above implementation process, determining whether the sensitivity level corresponding to the sensitive operation data is applicable can enable the user's operation to be carried out in a suitable and safe operating environment and avoid potential safety hazards in the user's operation process.
进一步地,所述调用二次认证接口对所述敏感操作数据进行第二次认证,得到第二认证结果的步骤,包括:Further, the step of calling the secondary authentication interface to perform a second authentication on the sensitive operation data and obtain the second authentication result includes:
根据所述敏感操作数据的敏感级别选取第二次认证的认证方式;Select the authentication method for the second authentication according to the sensitivity level of the sensitive operation data;
调取所述第二次认证的认证方式对应的所述二次认证接口;Call the secondary authentication interface corresponding to the authentication method of the second authentication;
根据所述二次认证接口触发第二次认证,得到第二认证信息,所述第二认证信息的有效时间为预设时间阈值;Trigger the second authentication according to the secondary authentication interface to obtain second authentication information, and the validity time of the second authentication information is a preset time threshold;
根据所述第二认证信息对所述敏感操作数据进行第二次认证,得到所述第二认证结果。Perform a second authentication on the sensitive operation data according to the second authentication information to obtain the second authentication result.
在上述实现过程中,根据二次认证接口触发第二次认证,确保第二次认证的安全性和有效性,同时可以避免多次认证,保护数据安全的同时提高用户体验感。In the above implementation process, the second authentication is triggered according to the secondary authentication interface to ensure the security and effectiveness of the second authentication. At the same time, multiple authentications can be avoided, protecting data security while improving user experience.
进一步地,所述调用二次认证接口对所述敏感操作数据进行第二次认证,得到第二认证结果的步骤,还包括:Further, the step of calling the secondary authentication interface to perform a second authentication on the sensitive operation data and obtain the second authentication result also includes:
若所述第二认证结果为通过,调用所述敏感操作数据对应的操作接口执行相应的用户操作;If the second authentication result is passed, call the operation interface corresponding to the sensitive operation data to perform the corresponding user operation;
更新所述敏感操作数据的认证数据。Update authentication data for the sensitive operational data.
在上述实现过程中,在第二认证结果通过时再执行相应的用户操作,可以有效限制敏感操作的发生次数,保护用户的操作安全。In the above implementation process, the corresponding user operation is performed when the second authentication result is passed, which can effectively limit the number of occurrences of sensitive operations and protect the user's operational security.
进一步地,若所述第二认证结果为通过,在预设时间阈值内接收到新的操作数据,且所述新的操作数据的敏感级别低于当前所述敏感操作数据的敏感级别,则无需对所述新的操作数据进行第二次认证。Further, if the second authentication result is passed, new operation data is received within the preset time threshold, and the sensitivity level of the new operation data is lower than the current sensitivity level of the sensitive operation data, there is no need to The new operating data is authenticated a second time.
在上述实现过程中,第二次认证结果存在一定的时效,可以确保用户能够在安全的情况下减少认证操作的过程。In the above implementation process, the second authentication result has a certain timeliness, which can ensure that users can reduce the authentication operation process in a safe manner.
第二方面,本申请实施例还提供了一种敏感操作的认证装置,所述装置包括:In a second aspect, embodiments of the present application also provide an authentication device for sensitive operations. The device includes:
获取模块,用于获取用户的操作数据;The acquisition module is used to obtain the user's operation data;
敏感判定模块,用于根据预置的敏感操作集对所述操作数据进行敏感判定;A sensitivity determination module, used to determine the sensitivity of the operation data according to a preset sensitive operation set;
第一次认证模块,用于在所述操作数据被判定为敏感操作数据的情况下,对所述敏感操作数据进行第一次认证,得到第一认证结果;The first authentication module is used to perform the first authentication on the sensitive operation data when the operation data is determined to be sensitive operation data, and obtain the first authentication result;
第二次认证模块,用于在所述第一认证结果为不通过的情况下,调用二次认证接口对所述敏感操作数据进行第二次认证,得到第二认证结果;The second authentication module is used to call the secondary authentication interface to perform a second authentication on the sensitive operation data when the first authentication result is failed, and obtain the second authentication result;
操作执行模块,用于在所述第二认证结果为通过的情况下,调用所述操作数据对应的操作接口执行相应的用户操作。An operation execution module, configured to call an operation interface corresponding to the operation data to perform a corresponding user operation when the second authentication result is passed.
在上述实现过程中,根据敏感操作集对操作数据进行敏感判定后进行两次认证,可以提高对敏感操作的认证效率,提高认证准确率,避免多次重复认证,确保用户的资产安全,减少认证过程中的安全隐患,为用户提供更多安全保障。In the above implementation process, two authentications are performed after determining the sensitivity of the operation data according to the sensitive operation set, which can improve the authentication efficiency of sensitive operations, improve the authentication accuracy, avoid multiple repeated authentications, ensure the security of users' assets, and reduce the number of authentications. Potential safety hazards in the process are eliminated to provide users with more safety assurance.
第三方面,本申请实施例提供的一种电子设备,包括:存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如第一方面任一项所述的方法的步骤。In a third aspect, an electronic device provided by an embodiment of the present application includes: a memory, a processor, and a computer program stored in the memory and executable on the processor. The processor executes the computer program. When implementing the steps of the method described in any one of the first aspects.
第四方面,本申请实施例提供的一种计算机可读存储介质,所述存储介质上存储有指令,当所述指令在计算机上运行时,使得所述计算机执行如第一方面任一项所述的方法。A fourth aspect is a computer-readable storage medium provided by an embodiment of the present application. Instructions are stored on the storage medium. When the instructions are run on a computer, they cause the computer to execute any of the instructions in the first aspect. method described.
第五方面,本申请实施例提供的一种计算机程序产品,所述计算机程序产品在计算机上运行时,使得计算机执行如第一方面任一项所述的方法。A fifth aspect is a computer program product provided by an embodiment of the present application. When the computer program product is run on a computer, it causes the computer to execute the method described in any one of the first aspects.
本公开的其他特征和优点将在随后的说明书中阐述,或者,部分特征和优点可以从说明书推知或毫无疑义地确定,或者通过实施本公开的上述技术即可得知。Other features and advantages of the present disclosure will be set forth in the subsequent description, or some of the features and advantages may be inferred or unambiguously determined from the description, or may be learned by practicing the above-mentioned techniques of the present disclosure.
并可依照说明书的内容予以实施,以下以本申请的较佳实施例并配合附图详细说明如后。And it can be implemented according to the content of the description. The preferred embodiments of the present application are described in detail below with reference to the accompanying drawings.
附图说明Description of drawings
为了更清楚地说明本申请实施例的技术方案,下面将对本申请实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本申请的某些实施例,因此不应被看作是对范围值的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required to be used in the embodiments of the present application will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present application, and therefore It should not be regarded as a limitation on the range value. For those of ordinary skill in the art, other relevant drawings can be obtained based on these drawings without exerting creative efforts.
图1为本申请实施例提供的敏感操作的认证方法的流程示意图;Figure 1 is a schematic flow chart of an authentication method for sensitive operations provided by an embodiment of the present application;
图2为本申请实施例提供的敏感操作的认证装置的结构组成示意图;Figure 2 is a schematic structural diagram of an authentication device for sensitive operations provided by an embodiment of the present application;
图3为本申请实施例提供的电子设备的结构组成示意图。FIG. 3 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
应注意到:相似的标号和字母在下面的附图中表示类似项,因此,一旦某一项在一个附图中被定义,则在随后的附图中不需要对其进行进一步定义和解释。同时,在本申请的描述中,术语“第一”、“第二”等仅用于区分描述,而不能理解为指示或暗示相对重要性。It should be noted that similar reference numerals and letters represent similar items in the following figures, therefore, once an item is defined in one figure, it does not need further definition and explanation in subsequent figures. Meanwhile, in the description of the present application, the terms “first”, “second”, etc. are only used to differentiate the description and cannot be understood as indicating or implying relative importance.
下面结合附图和实施例,对本申请的具体实施方式作进一步详细描述。以下实施例用于说明本申请,但不用来限制本申请的范围值。Specific implementations of the present application will be described in further detail below with reference to the accompanying drawings and examples. The following examples are used to illustrate the present application but are not intended to limit the range values of the present application.
实施例一Embodiment 1
图1是本申请实施例提供的敏感操作的认证方法的流程示意图,如图1所示,该方法包括:Figure 1 is a schematic flow chart of an authentication method for sensitive operations provided by an embodiment of the present application. As shown in Figure 1, the method includes:
S1,获取用户的操作数据;S1, obtain the user's operation data;
S2,根据预置的敏感操作集对操作数据进行敏感判定;S2, perform sensitivity determination on the operation data according to the preset sensitive operation set;
S3,在操作数据被判定为敏感操作数据的情况下,对敏感操作数据进行第一次认证,得到第一认证结果;S3, when the operation data is determined to be sensitive operation data, perform the first authentication on the sensitive operation data and obtain the first authentication result;
S4,在第一认证结果为不通过的情况下,调用二次认证接口对敏感操作数据进行第二次认证,得到第二认证结果;S4, when the first authentication result is failed, call the secondary authentication interface to perform a second authentication on the sensitive operation data, and obtain the second authentication result;
S5,在第二认证结果为通过的情况下,调用操作数据对应的操作接口执行相应的用户操作。S5: If the second authentication result is passed, call the operation interface corresponding to the operation data to perform the corresponding user operation.
在上述实现过程中,根据敏感操作集对操作数据进行敏感判定后进行两次认证,可以提高对敏感操作的认证效率,提高认证准确率,避免多次重复认证,确保用户的资产安全,减少认证过程中的安全隐患,为用户提供更多安全保障。In the above implementation process, two authentications are performed after determining the sensitivity of the operation data according to the sensitive operation set, which can improve the authentication efficiency of sensitive operations, improve the authentication accuracy, avoid multiple repeated authentications, ensure the security of users' assets, and reduce the number of authentications. Potential safety hazards in the process are eliminated to provide users with more safety assurance.
进一步地,该方法还包括:在操作数据被判定为正常操作数据的情况下,调用操作数据对应的操作接口执行相应的用户操作。Further, the method further includes: when the operation data is determined to be normal operation data, calling an operation interface corresponding to the operation data to perform the corresponding user operation.
在上述实现过程中,操作数据为正常操作数据时,直接执行操作数据对应的用户操作,可以节省时间,提高用户的体验感。In the above implementation process, when the operation data is normal operation data, directly executing the user operations corresponding to the operation data can save time and improve the user experience.
进一步地,S2包括:Further, S2 includes:
判断操作数据是否为敏感操作集中的敏感数据;Determine whether the operation data is sensitive data in the sensitive operation set;
若是,判定操作数据为敏感操作数据;If so, the operation data is determined to be sensitive operation data;
若否,判定操作数据为正常操作数据。If not, the operation data is determined to be normal operation data.
在上述实现过程中,先对操作数据进行敏感判定,将操作数据进行区分,可以防止敏感数据直接被执行,能够提高安全性能,避免造成用户损失。In the above implementation process, the sensitivity of the operation data is first determined and the operation data is distinguished, which can prevent sensitive data from being directly executed, improve security performance, and avoid user losses.
敏感操作集包括具体的敏感操作接口与其对应的敏感级别,用户点击系统的操作按钮时会触发敏感判定,如果当前执行的操作属于敏感操作集中的接口,则进入客户端的认证检测逻辑,否则,直接调用具体业务操作接口。The sensitive operation set includes specific sensitive operation interfaces and their corresponding sensitivity levels. When the user clicks the operation button of the system, the sensitivity determination will be triggered. If the currently executed operation belongs to the interface in the sensitive operation set, the authentication detection logic of the client will be entered. Otherwise, directly Call the specific business operation interface.
本申请实施例通过预先建立敏感操作集,并在定义系统中的敏感操作以及敏感等级,在满足敏感操作第二次认证严谨性的前提下,通过签发短时有效的认证码(认证码携带有效期和适用的敏感等级信息),解决短时间重复二次认证的问题。The embodiment of this application establishes a sensitive operation set in advance, defines the sensitive operations and sensitivity levels in the system, and on the premise of meeting the rigor of the second authentication of the sensitive operations, issues a short-term valid authentication code (authentication code portability). Validity period and applicable sensitivity level information) to solve the problem of repeated secondary authentication in a short period of time.
进一步地,敏感操作集中的敏感数据包括严重敏感数据、高度敏感数据、中度敏感数据和低度敏感数据。Further, the sensitive data in the sensitive operation set includes severely sensitive data, highly sensitive data, moderately sensitive data and lowly sensitive data.
进一步地,S3包括:Further, S3 includes:
获取敏感操作数据对应的前端浏览数据;Obtain front-end browsing data corresponding to sensitive operational data;
对前端浏览数据依次进行认证数据存在性判定、认证数据有效性判定和敏感级别判定,得到第一认证结果。The front-end browsing data is sequentially judged on the existence of authentication data, the validity of authentication data and the sensitivity level, and the first authentication result is obtained.
在上述实现过程中,对前端浏览数据进行第一次认证,方便快速、准确地获知操作数据的初步认证情况,为后续第二次认证提供依据,可以缩短用户认证耗费的时间。In the above implementation process, the front-end browsing data is authenticated for the first time, so as to quickly and accurately obtain the preliminary authentication status of the operation data, provide a basis for the subsequent second authentication, and shorten the time spent on user authentication.
本申请实施例中,第一次认证可以是认证码检测的方式,通过客户端的认证码检测逻辑可以减少系统接口异常日志中出现认证码异常的情况,认证码检测逻辑包含是否存在、是否有效、以及认证码适用的敏感级别,认证码的结构包含明文信息和签名信息,明文信息提供有效性和适用的敏感级别等信息,签名信息可以确保明文信息不被篡改,具体实现方式可以采用明文cookie+签名的方式,也可以使用一个轻量级的认证规范(Json webtoken,JWT)方式实现,本申请实施例以JWT为例,以下简称认证码。In the embodiment of this application, the first authentication can be through authentication code detection. The authentication code detection logic of the client can reduce the occurrence of authentication code exceptions in the system interface exception log. The authentication code detection logic includes whether it exists, whether it is valid, As well as the sensitivity level applicable to the authentication code. The structure of the authentication code contains plain text information and signature information. The plain text information provides information such as validity and applicable sensitivity level. The signature information can ensure that the plain text information is not tampered with. The specific implementation method can use plain text cookies + signatures. This method can also be implemented using a lightweight authentication specification (Json webtoken, JWT). The embodiment of this application takes JWT as an example, hereafter referred to as the authentication code.
进一步地,对前端浏览数据依次进行认证数据存在性判定、认证数据有效性判定和敏感级别判定,得到第一认证结果的步骤,包括:Further, the steps for obtaining the first authentication result include:
判断前端浏览数据中的存储空间中是否包含认证数据;Determine whether the storage space in the front-end browsing data contains authentication data;
若存储空间中不包含认证数据,判定第一认证结果为不通过;If the storage space does not contain authentication data, the first authentication result is determined to be failed;
若存储空间中包含认证数据,则根据前端浏览数据中的第一认证信息判断认证数据是否有效;If the storage space contains authentication data, determine whether the authentication data is valid based on the first authentication information in the front-end browsing data;
若认证数据无效,判定第一认证结果为不通过;If the authentication data is invalid, the first authentication result is determined to be failed;
若认证数据有效,则根据前端浏览数据中的第一认证信息判断敏感操作数据对应的敏感级别是否适用;If the authentication data is valid, determine whether the sensitivity level corresponding to the sensitive operation data is applicable based on the first authentication information in the front-end browsing data;
若敏感级别不适用,判定第一认证结果为不通过;If the sensitivity level is not applicable, the first authentication result will be judged as failed;
若敏感级别适用,判定第一认证结果为通过。If the sensitivity level is applicable, the first authentication result is determined to be passed.
在上述实现过程中,根据前端浏览数据进行认证数据存在性判定、认证数据有效性判定和敏感级别判定,可以准确、合理地实现对敏感操作数据的第一次认证,使得到的认证结果更加准确。In the above implementation process, the authentication data existence determination, authentication data validity determination and sensitivity level determination are carried out based on the front-end browsing data, which can accurately and reasonably realize the first authentication of sensitive operation data, making the authentication results more accurate. .
本申请实施例的认证数据为认证码,认证码的header部分定义为{”type”:“JWT”,“alg”:“HS256”},有效载荷payload部分包含iss(签发人)、exp(过期时间)、sensitive(敏感级别数组)字段,通过判断客户端JWT是否存在,以及payload中的exp字段是否大于当前时间,以及sensitive字段是否包含当前操作接口的敏感级别。The authentication data in the embodiment of this application is an authentication code. The header part of the authentication code is defined as {"type": "JWT", "alg": "HS256"}, and the payload part includes iss (issuer), exp (expiration) time), sensitive (sensitivity level array) fields, by judging whether the client JWT exists, whether the exp field in the payload is greater than the current time, and whether the sensitive field contains the sensitivity level of the current operation interface.
进一步地,判断前端浏览数据中的存储空间中是否包含认证数据的步骤,包括:Further, the step of determining whether the storage space in the front-end browsing data contains authentication data includes:
从存储空间中获取敏感级别键值对;Get the sensitivity level key-value pair from the storage space;
判断敏感级别键值对的值是否为空;Determine whether the value of the sensitive level key-value pair is empty;
若是,判定存储空间中不包含认证数据;If so, it is determined that the storage space does not contain authentication data;
若否,判断敏感级别键值对对应的数据格式是否为预设数据格式,若数据格式符合预设数据格式,判定存储空间中包含认证数据,若数据格式不符合预设数据格式,判定存储空间中不包含认证数据。If not, determine whether the data format corresponding to the sensitive level key-value pair is the preset data format. If the data format conforms to the preset data format, determine that the storage space contains authentication data. If the data format does not conform to the preset data format, determine the storage space. Does not contain authentication data.
在上述实现过程中,根据敏感级别键值对对应的数据格式判断存储空间是否包含认证数据,可以在不知道认证数据的具体内容的情况下,快速、准确地对认证数据的存在性进行判定,提高认证效率。In the above implementation process, whether the storage space contains authentication data is determined based on the data format corresponding to the sensitive level key-value pair. The existence of the authentication data can be quickly and accurately determined without knowing the specific content of the authentication data. Improve authentication efficiency.
具体地,JWT可以放置在存储空间cookie中,也可以放在存储空间localStorage中,以放置在localStorage中为例,假设存放的敏感级别键值对中的key为sensitive_cert,使用localStorage.getItem("sensitive_cert")获取数据,如果数据不为空,且获取到的数据符合JWT的格式(三段以点号分隔),则认为认证数据存在。Specifically, JWT can be placed in the storage space cookie or in the storage space localStorage. Taking placement in localStorage as an example, assuming that the key in the stored sensitive level key-value pair is sensitive_cert, use localStorage.getItem("sensitive_cert ") to obtain the data. If the data is not empty and the obtained data conforms to the JWT format (the three sections are separated by dots), the authentication data is considered to exist.
进一步地,根据前端浏览数据中的第一认证信息判断认证数据是否有效的步骤,包括:Further, the step of determining whether the authentication data is valid based on the first authentication information in the front-end browsing data includes:
对前端浏览数据中的第一认证信息进行解码操作,得到有效载荷;Decode the first authentication information in the front-end browsing data to obtain the payload;
判断有效载荷中的过期时间字段是否大于阈值;Determine whether the expiration time field in the payload is greater than the threshold;
若是,判定认证数据有效;If so, determine that the authentication data is valid;
若否,判定认证数据无效。If not, the authentication data is determined to be invalid.
在上述实现过程中,根据有效载荷中的过期时间字段判断认证数据是否有效,能够节约对认证数据的解析过程,并及时获得认证数据的失效时间,保护用户的操作安全。In the above implementation process, judging whether the authentication data is valid based on the expiration time field in the payload can save the parsing process of the authentication data, obtain the expiration time of the authentication data in time, and protect the user's operational security.
通过对sensitive_cert的数据(第一认证信息)进行base64 decode解码操作,获取其中的有效载荷payload,payload是一个JSON格式的数据,通过判断有效载荷payload中的exp字段是否大于当前时间,若大于当前时间则认为认证数据有效。By performing a base64 decode decoding operation on the sensitive_cert data (first authentication information), the payload payload is obtained. The payload is a data in JSON format. By judging whether the exp field in the payload payload is greater than the current time, if it is greater than the current time The authentication data is considered valid.
进一步地,根据前端浏览数据中的第一认证信息判断敏感操作数据对应的敏感级别是否适用的步骤,包括:Further, the step of determining whether the sensitivity level corresponding to the sensitive operation data is applicable based on the first authentication information in the front-end browsing data includes:
判断有效载荷中的敏感数组是否包含敏感操作数据对应的敏感级别;Determine whether the sensitive array in the payload contains the sensitivity level corresponding to the sensitive operation data;
若是,判定敏感操作数据对应的敏感级别适用;If so, determine whether the sensitivity level corresponding to the sensitive operation data is applicable;
若否,判定敏感操作数据对应的敏感级别不适用。If not, it is determined that the sensitivity level corresponding to the sensitive operation data is not applicable.
在上述实现过程中,判断敏感操作数据对应的敏感级别是否适用,可以使得用户的操作在合适、安全的操作环境下进行,避免用户的操作过程存在安全隐患。In the above implementation process, determining whether the sensitivity level corresponding to the sensitive operation data is applicable can enable the user's operation to be carried out in a suitable and safe operating environment and avoid potential safety hazards in the user's operation process.
通过判断有效载荷payload中的敏感数组(sensitive数组)是否包含当前要操作的接口的敏感级别,包含则认为当前JWT适用于此次操作。By judging whether the sensitive array in the payload contains the sensitivity level of the interface currently being operated, if it does, it is considered that the current JWT is suitable for this operation.
如果JWT的敏感操作级别适用于当前操作接口,则携带认证码(JWT)直接调用具体的业务操作接口即可。如果认证码检测不适用于当前操作接口,则触发第二次认证。If the sensitive operation level of JWT is applicable to the current operation interface, just call the specific business operation interface directly with the authentication code (JWT). If the authentication code detection does not apply to the current operation interface, a second authentication is triggered.
进一步地,S4包括:Further, S4 includes:
根据敏感操作数据的敏感级别选取第二次认证的认证方式;Select the authentication method for the second authentication based on the sensitivity level of the sensitive operational data;
调取第二次认证的认证方式对应的二次认证接口;Call the secondary authentication interface corresponding to the authentication method of the second authentication;
根据二次认证接口触发第二次认证,得到第二认证信息,第二认证信息的有效时间为预设时间阈值;Trigger the second authentication according to the secondary authentication interface to obtain the second authentication information. The validity time of the second authentication information is the preset time threshold;
根据第二认证信息对敏感操作数据进行第二次认证,得到第二认证结果。Perform a second authentication on the sensitive operation data based on the second authentication information to obtain a second authentication result.
在上述实现过程中,根据二次认证接口触发第二次认证,确保第二次认证的安全性和有效性,同时可以避免多次认证,保护数据安全的同时提高用户体验感。In the above implementation process, the second authentication is triggered according to the secondary authentication interface to ensure the security and effectiveness of the second authentication. At the same time, multiple authentications can be avoided, protecting data security while improving user experience.
第二次认证方式包含多种,可以根据敏感级别进行选取,填写二次认证信息后进行认证判定,认证成功后更新客户端的认证码(JWT),同时携带新的认证码调用具体业务操作接口。如果第二次认证失败则代表当前用户无权执行当前操作,返回错误信息提示后退出当前流程。The second authentication method includes a variety of methods, which can be selected according to the sensitivity level. After filling in the secondary authentication information, the authentication judgment is made. After successful authentication, the client's authentication code (JWT) is updated, and the new authentication code is carried to call the specific business operation interface. If the second authentication fails, it means that the current user does not have the right to perform the current operation, and an error message will be returned and the current process will be exited.
进一步地,调用二次认证接口对敏感操作数据进行第二次认证,得到第二认证结果的步骤,还包括:Further, the step of calling the secondary authentication interface to perform a second authentication on sensitive operation data and obtain the second authentication result also includes:
若第二认证结果为通过,调用敏感操作数据对应的操作接口执行相应的用户操作;If the second authentication result is passed, call the operation interface corresponding to the sensitive operation data to perform the corresponding user operation;
更新敏感操作数据的认证数据。Update authentication data for sensitive operational data.
在上述实现过程中,在第二认证结果通过时再执行相应的用户操作,可以有效限制敏感操作的发生次数,保护用户的操作安全。In the above implementation process, the corresponding user operation is performed when the second authentication result is passed, which can effectively limit the number of occurrences of sensitive operations and protect the user's operational security.
进一步地,若第二认证结果为通过,在预设时间阈值内接收到新的操作数据,且新的操作数据的敏感级别低于当前敏感操作数据的敏感级别,则无需对新的操作数据进行第二次认证。Further, if the second authentication result is passed, new operation data is received within the preset time threshold, and the sensitivity level of the new operation data is lower than the sensitivity level of the current sensitive operation data, there is no need to perform authentication on the new operation data. Second certification.
在上述实现过程中,第二次认证结果存在一定的时效,可以确保用户能够在安全的情况下减少认证操作的过程。In the above implementation process, the second authentication result has a certain timeliness, which can ensure that users can reduce the authentication operation process in a safe manner.
示例性地,假设用户首次执行的敏感操作为重启服务,客户端在进行认证码检测时并未发现前端浏览数据中的存储空间中存在认证码,因此触发第二次认证,填写正确的认证信息后拿到一个有效期是10分钟的认证码,该认证码为JWT(eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzeXN0ZW0iLCJle HAiOjE2OTc3ODQ1MzYsInNlbnNpdGl2ZSI6WyJsb3ciXX0.8Ee7EpXYIiOtD zDeti49Rj3zUcActyAdBedObtlyFGg)。其中,payload部分为{"iss":"system","exp":1697784536,"sensitive":["low"]}。For example, assuming that the sensitive operation performed by the user for the first time is to restart the service, the client does not find that the authentication code exists in the storage space in the front-end browsing data when performing authentication code detection, so the second authentication is triggered and the correct authentication information is filled in. Finally, I got an authentication code that is valid for 10 minutes. The authentication code is JWT(eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzeXN0ZW0iLCJle HAiOjE2OTc3ODQ1MzYsInNlbnNpdGl2ZSI6WyJsb3ciXX0.8Ee7EpXYIiO tD zDeti49Rj3zUcActyAdBedObtlyFGg). Among them, the payload part is {"iss":"system","exp":1697784536,"sensitive":["low"]}.
更新完客户认证码(JWT),携带新的认证码调用真实的重启服务接口,成功执行重启操作。After updating the client authentication code (JWT), call the real restart service interface with the new authentication code, and successfully perform the restart operation.
系统经过5分钟重启后,用户继续执行配置登录白名单操作,客户执行认证码检测,发现存在且有效,但是认证码的敏感级别低于配置登录白名单所需的敏感级别,因此重新触发二次认证,认证成功后拿到新的认证码的有效期为10分钟,新的认证码为JWT(eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzeXN0ZW0iLCJle HAiOjE2OTc3ODQ4NTEsInNlbnNpdGl2ZSI6WyJsb3ciLCJtZWRpdW0iXX0.7l8pPh9GXYk-aMoDx-01EowlE8sCYzXGQHoQ8kVKtK8)。其中,payload部分为{"iss":"system","exp":1697784851,"sensitive":["low","medium"]}。After the system restarted for 5 minutes, the user continued to perform the operation of configuring the login whitelist. The customer performed the authentication code detection and found that it existed and was valid. However, the sensitivity level of the authentication code was lower than the sensitivity level required to configure the login whitelist, so it was retriggered a second time. Authentication, the validity period of the new authentication code obtained after the authentication is successful is 10 minutes. The new authentication code is JWT(eyJ0e iXX0.7l8pPh9GXYk-aMoDx-01EowlE8sCYzXGQHoQ8kVKtK8). Among them, the payload part is {"iss":"system","exp":1697784851,"sensitive":["low","medium"]}.
更新客户的新的认证码,并携带新的认证码调用配置登录白名单接口,成功执行,在有效期10分钟之内,若用户执行重启操作,JWT检测判定符合条件,因此无需二次认证,使用既有的认证码调用重启操作接口,成功执行重启操作。Update the customer's new authentication code, and bring the new authentication code to call the configuration login whitelist interface. The execution is successful. Within the validity period of 10 minutes, if the user performs a restart operation, the JWT detection determines that the conditions are met, so there is no need for secondary authentication. Use The existing authentication code calls the restart operation interface and successfully performs the restart operation.
本申请实施例通过采用明文信息+签名方式生成的认证码,既可以通过传递明文信息帮用户实现快速认证,也保障了信息无法被篡改,在完成二次认证后通过签发一个短时有效的认证码给客户端,客户端在执行敏感操作时,通过匹配当前操作与既有认证码的敏感级别,最终成功解决短时间内敏感操作重复认证的问题。The embodiment of this application uses the authentication code generated by plain text information + signature, which can not only help users achieve rapid authentication by transmitting plain text information, but also ensure that the information cannot be tampered with. After completing the secondary authentication, a short-term valid authentication is issued. Code is given to the client. When the client performs a sensitive operation, by matching the sensitivity level of the current operation with the existing authentication code, it finally successfully solves the problem of repeated authentication of sensitive operations within a short period of time.
实施例二Embodiment 2
为了执行上述实施例一对应的方法,以实现相应的功能和技术效果,下面提供一种敏感操作的认证装置,如图2所示,该装置包括:In order to perform the method corresponding to the above-mentioned Embodiment 1 to achieve corresponding functions and technical effects, an authentication device for sensitive operations is provided below. As shown in Figure 2, the device includes:
获取模块1,用于获取用户的操作数据;Obtain module 1, used to obtain the user's operation data;
敏感判定模块2,用于根据预置的敏感操作集对操作数据进行敏感判定;Sensitivity determination module 2 is used to determine the sensitivity of the operation data according to the preset sensitive operation set;
第一次认证模块3,用于在操作数据被判定为敏感操作数据的情况下,对敏感操作数据进行第一次认证,得到第一认证结果;The first authentication module 3 is used to perform the first authentication on the sensitive operation data and obtain the first authentication result when the operation data is determined to be sensitive operation data;
第二次认证模块4,用于在第一认证结果为不通过的情况下,调用二次认证接口对敏感操作数据进行第二次认证,得到第二认证结果;The second authentication module 4 is used to call the secondary authentication interface to perform a second authentication on sensitive operation data when the first authentication result is failed, and obtain the second authentication result;
操作执行模块5,用于在第二认证结果为通过的情况下,调用操作数据对应的操作接口执行相应的用户操作。The operation execution module 5 is configured to call the operation interface corresponding to the operation data to perform the corresponding user operation when the second authentication result is passed.
在上述实现过程中,根据敏感操作集对操作数据进行敏感判定后进行两次认证,可以提高对敏感操作的认证效率,提高认证准确率,避免多次重复认证,确保用户的资产安全,减少认证过程中的安全隐患,为用户提供更多安全保障。In the above implementation process, two authentications are performed after determining the sensitivity of the operation data according to the sensitive operation set, which can improve the authentication efficiency of sensitive operations, improve the authentication accuracy, avoid multiple repeated authentications, ensure the security of users' assets, and reduce the number of authentications. Potential safety hazards in the process are eliminated to provide users with more safety assurance.
进一步地,操作执行模块5还用于:在操作数据被判定为正常操作数据的情况下,调用操作数据对应的操作接口执行相应的用户操作。Further, the operation execution module 5 is also configured to: when the operation data is determined to be normal operation data, call the operation interface corresponding to the operation data to perform the corresponding user operation.
在上述实现过程中,操作数据为正常操作数据时,直接执行操作数据对应的用户操作,可以节省时间,提高用户的体验感。In the above implementation process, when the operation data is normal operation data, directly executing the user operations corresponding to the operation data can save time and improve the user experience.
进一步地,敏感判定模块2还用于:Furthermore, the sensitivity determination module 2 is also used to:
判断操作数据是否为敏感操作集中的敏感数据;Determine whether the operation data is sensitive data in the sensitive operation set;
若是,判定操作数据为敏感操作数据;If so, the operation data is determined to be sensitive operation data;
若否,判定操作数据为正常操作数据。If not, the operation data is determined to be normal operation data.
在上述实现过程中,先对操作数据进行敏感判定,将操作数据进行区分,可以防止敏感数据直接被执行,能够提高安全性能,避免造成用户损失。In the above implementation process, the sensitivity of the operation data is first determined and the operation data is distinguished, which can prevent sensitive data from being directly executed, improve security performance, and avoid user losses.
进一步地,敏感操作集中的敏感数据包括严重敏感数据、高度敏感数据、中度敏感数据和低度敏感数据。Further, the sensitive data in the sensitive operation set includes severely sensitive data, highly sensitive data, moderately sensitive data and lowly sensitive data.
进一步地,第一次认证模块3还用于:Furthermore, the first authentication module 3 is also used for:
获取敏感操作数据对应的前端浏览数据;Obtain front-end browsing data corresponding to sensitive operational data;
对前端浏览数据依次进行认证数据存在性判定、认证数据有效性判定和敏感级别判定,得到第一认证结果。The front-end browsing data is sequentially judged on the existence of authentication data, the validity of authentication data and the sensitivity level, and the first authentication result is obtained.
在上述实现过程中,对前端浏览数据进行第一次认证,方便快速、准确地获知操作数据的初步认证情况,为后续第二次认证提供依据,可以缩短用户认证耗费的时间。In the above implementation process, the front-end browsing data is authenticated for the first time, so as to quickly and accurately obtain the preliminary authentication status of the operation data, provide a basis for the subsequent second authentication, and shorten the time spent on user authentication.
进一步地,第一次认证模块3还用于:Furthermore, the first authentication module 3 is also used for:
判断前端浏览数据中的存储空间中是否包含认证数据;Determine whether the storage space in the front-end browsing data contains authentication data;
若存储空间中不包含认证数据,判定第一认证结果为不通过;If the storage space does not contain authentication data, the first authentication result is determined to be failed;
若存储空间中包含认证数据,则根据前端浏览数据中的第一认证信息判断认证数据是否有效;If the storage space contains authentication data, determine whether the authentication data is valid based on the first authentication information in the front-end browsing data;
若认证数据无效,判定第一认证结果为不通过;If the authentication data is invalid, the first authentication result is determined to be failed;
若认证数据有效,则根据前端浏览数据中的第一认证信息判断敏感操作数据对应的敏感级别是否适用;If the authentication data is valid, determine whether the sensitivity level corresponding to the sensitive operation data is applicable based on the first authentication information in the front-end browsing data;
若敏感级别不适用,判定第一认证结果为不通过;If the sensitivity level is not applicable, the first authentication result will be judged as failed;
若敏感级别适用,判定第一认证结果为通过。If the sensitivity level is applicable, the first authentication result is determined to be passed.
在上述实现过程中,根据前端浏览数据进行认证数据存在性判定、认证数据有效性判定和敏感级别判定,可以准确、合理地实现对敏感操作数据的第一次认证,使得到的认证结果更加准确。In the above implementation process, the authentication data existence determination, authentication data validity determination and sensitivity level determination are carried out based on the front-end browsing data, which can accurately and reasonably realize the first authentication of sensitive operation data, making the authentication results more accurate. .
进一步地,第一次认证模块3还用于:Furthermore, the first authentication module 3 is also used for:
从存储空间中获取敏感级别键值对;Get the sensitivity level key-value pair from the storage space;
判断敏感级别键值对的值是否为空;Determine whether the value of the sensitive level key-value pair is empty;
若是,判定存储空间中不包含认证数据;If so, it is determined that the storage space does not contain authentication data;
若否,判断敏感级别键值对对应的数据格式是否为预设数据格式,若数据格式符合预设数据格式,判定存储空间中包含认证数据,若数据格式不符合预设数据格式,判定存储空间中不包含认证数据。If not, determine whether the data format corresponding to the sensitive level key-value pair is the preset data format. If the data format conforms to the preset data format, determine that the storage space contains authentication data. If the data format does not conform to the preset data format, determine the storage space. Does not contain authentication data.
在上述实现过程中,根据敏感级别键值对对应的数据格式判断存储空间是否包含认证数据,可以在不知道认证数据的具体内容的情况下,快速、准确地对认证数据的存在性进行判定,提高认证效率。In the above implementation process, whether the storage space contains authentication data is determined based on the data format corresponding to the sensitive level key-value pair. The existence of the authentication data can be quickly and accurately determined without knowing the specific content of the authentication data. Improve authentication efficiency.
进一步地,第一次认证模块3还用于:Furthermore, the first authentication module 3 is also used for:
对前端浏览数据中的第一认证信息进行解码操作,得到有效载荷;Decode the first authentication information in the front-end browsing data to obtain the payload;
判断有效载荷中的过期时间字段是否大于阈值;Determine whether the expiration time field in the payload is greater than the threshold;
若是,判定认证数据有效;If so, determine that the authentication data is valid;
若否,判定认证数据无效。If not, the authentication data is determined to be invalid.
在上述实现过程中,根据有效载荷中的过期时间字段判断认证数据是否有效,能够节约对认证数据的解析过程,并及时获得认证数据的失效时间,保护用户的操作安全。In the above implementation process, judging whether the authentication data is valid based on the expiration time field in the payload can save the parsing process of the authentication data, obtain the expiration time of the authentication data in time, and protect the user's operational security.
进一步地,第一次认证模块3还用于:Furthermore, the first authentication module 3 is also used for:
判断有效载荷中的敏感数组是否包含敏感操作数据对应的敏感级别;Determine whether the sensitive array in the payload contains the sensitivity level corresponding to the sensitive operation data;
若是,判定敏感操作数据对应的敏感级别适用;If so, determine whether the sensitivity level corresponding to the sensitive operation data is applicable;
若否,判定敏感操作数据对应的敏感级别不适用。If not, it is determined that the sensitivity level corresponding to the sensitive operation data is not applicable.
在上述实现过程中,判断敏感操作数据对应的敏感级别是否适用,可以使得用户的操作在合适、安全的操作环境下进行,避免用户的操作过程存在安全隐患。In the above implementation process, determining whether the sensitivity level corresponding to the sensitive operation data is applicable can enable the user's operation to be carried out in a suitable and safe operating environment and avoid potential safety hazards in the user's operation process.
进一步地,第二次认证模块4还用于:Furthermore, the second authentication module 4 is also used for:
根据敏感操作数据的敏感级别选取第二次认证的认证方式;Select the authentication method for the second authentication based on the sensitivity level of the sensitive operational data;
调取第二次认证的认证方式对应的二次认证接口;Call the secondary authentication interface corresponding to the authentication method of the second authentication;
根据二次认证接口触发第二次认证,得到第二认证信息,第二认证信息的有效时间为预设时间阈值;Trigger the second authentication according to the secondary authentication interface to obtain the second authentication information. The validity time of the second authentication information is the preset time threshold;
根据第二认证信息对敏感操作数据进行第二次认证,得到第二认证结果。Perform a second authentication on the sensitive operation data based on the second authentication information to obtain a second authentication result.
在上述实现过程中,根据二次认证接口触发第二次认证,确保第二次认证的安全性和有效性,同时可以避免多次认证,保护数据安全的同时提高用户体验感。In the above implementation process, the second authentication is triggered according to the secondary authentication interface to ensure the security and effectiveness of the second authentication. At the same time, multiple authentications can be avoided, protecting data security while improving user experience.
进一步地,第二次认证模块4还用于:Furthermore, the second authentication module 4 is also used for:
若第二认证结果为通过,调用敏感操作数据对应的操作接口执行相应的用户操作;If the second authentication result is passed, call the operation interface corresponding to the sensitive operation data to perform the corresponding user operation;
更新敏感操作数据的认证数据。Update authentication data for sensitive operational data.
在上述实现过程中,在第二认证结果通过时再执行相应的用户操作,可以有效限制敏感操作的发生次数,保护用户的操作安全。In the above implementation process, the corresponding user operation is performed when the second authentication result is passed, which can effectively limit the number of occurrences of sensitive operations and protect the user's operational security.
进一步地,若第二认证结果为通过,在预设时间阈值内接收到新的操作数据,且新的操作数据的敏感级别低于当前敏感操作数据的敏感级别,则无需对新的操作数据进行第二次认证。Further, if the second authentication result is passed, new operation data is received within the preset time threshold, and the sensitivity level of the new operation data is lower than the sensitivity level of the current sensitive operation data, there is no need to perform authentication on the new operation data. Second certification.
在上述实现过程中,第二次认证结果存在一定的时效,可以确保用户能够在安全的情况下减少认证操作的过程。In the above implementation process, the second authentication result has a certain timeliness, which can ensure that users can reduce the authentication operation process in a safe manner.
上述的敏感操作的认证装置可实施上述实施例一的方法。上述实施例一中的可选项也适用于本实施例,这里不再详述。The above-mentioned authentication device for sensitive operations can implement the method of the above-mentioned Embodiment 1. The options in the above-mentioned Embodiment 1 are also applicable to this embodiment and will not be described in detail here.
本申请实施例的其余内容可参照上述实施例一的内容,在本实施例中,不再进行赘述。For the rest of the content of the embodiment of the present application, reference can be made to the content of the above-mentioned Embodiment 1, and no further description will be given in this embodiment.
实施例三Embodiment 3
本申请实施例提供一种电子设备,包括存储器及处理器,该存储器用于存储计算机程序,该处理器运行计算机程序以使电子设备执行实施例一的敏感操作的认证方法。An embodiment of the present application provides an electronic device, including a memory and a processor. The memory is used to store a computer program. The processor runs the computer program to cause the electronic device to perform the authentication method for sensitive operations in Embodiment 1.
可选地,上述电子设备可以是服务器。Optionally, the above-mentioned electronic device may be a server.
请参见图3,图3为本申请实施例提供的电子设备的结构组成示意图。该电子设备可以包括处理器31、通信接口32、存储器33和至少一个通信总线34。其中,通信总线34用于实现这些组件直接的连接通信。其中,本申请实施例中设备的通信接口32用于与其他节点设备进行信令或数据的通信。处理器31可以是一种集成电路芯片,具有信号的处理能力。Please refer to FIG. 3 , which is a schematic structural diagram of an electronic device provided by an embodiment of the present application. The electronic device may include a processor 31, a communication interface 32, a memory 33 and at least one communication bus 34. Among them, the communication bus 34 is used to realize direct connection communication between these components. Among them, the communication interface 32 of the device in the embodiment of the present application is used to communicate signaling or data with other node devices. The processor 31 may be an integrated circuit chip with signal processing capabilities.
上述的处理器31可以是通用处理器,包括中央处理器(Central ProcessingUnit,CPU)、网络处理器(Network Processor,NP)等;还可以是数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器31也可以是任何常规的处理器等。The above-mentioned processor 31 can be a general-purpose processor, including a central processing unit (CPU), a network processor (Network Processor, NP), etc.; it can also be a digital signal processor (DSP) or an application-specific integrated circuit (ASIC). , off-the-shelf programmable gate arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. Each method, step and logical block diagram disclosed in the embodiment of this application can be implemented or executed. The general processor may be a microprocessor or the processor 31 may be any conventional processor or the like.
存储器33可以是,但不限于,随机存取存储器(Random Access Memory,RAM),只读存储器(Read Only Memory,ROM),可编程只读存储器(Programmable Read-Only Memory,PROM),可擦除只读存储器(Erasable Programmable Read-Only Memory,EPROM),电可擦除只读存储器(Electric Erasable Programmable Read-Only Memory,EEPROM)等。存储器33中存储有计算机可读取指令,当计算机可读取指令由所述处理器31执行时,设备可以执行上述图1方法实施例涉及的各个步骤。The memory 33 may be, but is not limited to, random access memory (Random Access Memory, RAM), read only memory (Read Only Memory, ROM), programmable read-only memory (Programmable Read-Only Memory, PROM), erasable Read-only memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable read-only memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. Computer-readable instructions are stored in the memory 33. When the computer-readable instructions are executed by the processor 31, the device can perform various steps involved in the above-mentioned method embodiment of FIG. 1.
可选地,电子设备还可以包括存储控制器、输入输出单元。存储器33、存储控制器、处理器31、外设接口、输入输出单元各元件相互之间直接或间接地电性连接,以实现数据的传输或交互。例如,这些元件相互之间可通过一条或通信总线34实现电性连接。处理器31用于执行存储器33中存储的可执行模块,例如设备包括的软件功能模块或计算机程序。Optionally, the electronic device may also include a storage controller and an input and output unit. The components of the memory 33, storage controller, processor 31, peripheral interface, and input/output unit are directly or indirectly electrically connected to each other to realize data transmission or interaction. For example, these components may be electrically connected to each other through a communication bus 34 . The processor 31 is used to execute executable modules stored in the memory 33, such as software function modules or computer programs included in the device.
输入输出单元用于提供给用户创建任务以及为该任务创建启动可选时段或预设执行时间以实现用户与服务器的交互。输入输出单元可以是,但不限于,鼠标和键盘等。The input and output unit is used to provide the user with the ability to create a task and create a startup optional period or a preset execution time for the task to enable interaction between the user and the server. The input and output unit may be, but is not limited to, a mouse, a keyboard, etc.
可以理解,图3所示的结构仅为示意,电子设备还可包括比图3中所示更多或者更少的组件,或者具有与图3所示不同的配置。图3中所示的各组件可以采用硬件、软件或其组合实现。It can be understood that the structure shown in FIG. 3 is only illustrative, and the electronic device may also include more or fewer components than shown in FIG. 3 , or have a different configuration than that shown in FIG. 3 . Each component shown in Figure 3 can be implemented in hardware, software, or a combination thereof.
另外,本申请实施例还提供一种计算机可读存储介质,其存储有计算机程序,该计算机程序被处理器执行时实现实施例一的敏感操作的认证方法。In addition, an embodiment of the present application also provides a computer-readable storage medium that stores a computer program. When the computer program is executed by a processor, the authentication method for sensitive operations in Embodiment 1 is implemented.
本申请实施例还提供一种计算机程序产品,该计算机程序产品在计算机上运行时,使得计算机执行方法实施例所述的方法。Embodiments of the present application also provide a computer program product. When the computer program product is run on a computer, it causes the computer to execute the method described in the method embodiment.
在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,也可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,附图中的流程图和框图显示了根据本申请的多个实施例的装置、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现方式中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或动作的专用的基于硬件的装置来实现,或者可以用专用硬件与计算机指令的组合来实现。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods can also be implemented in other ways. The device embodiments described above are only illustrative. For example, the flowcharts and block diagrams in the accompanying drawings show the possible implementation architecture, functions and functions of the devices, methods and computer program products according to multiple embodiments of the present application. operate. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code that contains one or more components for implementing the specified logical function(s). Executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two consecutive blocks may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by special purpose hardware-based means that perform the specified functions or acts. , or can be implemented using a combination of specialized hardware and computer instructions.
另外,在本申请各个实施例中的各功能模块可以集成在一起形成一个独立的部分,也可以是各个模块单独存在,也可以两个或两个以上模块集成形成一个独立的部分。In addition, each functional module in each embodiment of the present application can be integrated together to form an independent part, each module can exist alone, or two or more modules can be integrated to form an independent part.
所述功能如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。If the functions are implemented in the form of software function modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of this application. The aforementioned storage media include: U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk and other media that can store program codes.
以上所述仅为本申请的实施例而已,并不用于限制本申请的保护范围值,对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围值之内。应注意到:相似的标号和字母在下面的附图中表示类似项,因此,一旦某一项在一个附图中被定义,则在随后的附图中不需要对其进行进一步定义和解释。The above are only examples of the present application and are not intended to limit the protection scope of the present application. For those skilled in the art, the present application may have various modifications and changes. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of this application shall be included in the protection scope of this application. It should be noted that similar reference numerals and letters represent similar items in the following figures, therefore, once an item is defined in one figure, it does not need further definition and explanation in subsequent figures.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围值并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围值内,可轻易想到变化或替换,都应涵盖在本申请的保护范围值之内。因此,本申请的保护范围值应所述以权利要求的保护范围值为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application. , should all be covered within the protection scope of this application. Therefore, the value of the protection scope of this application should be determined by the value of the protection scope of the claims.
需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that these entities or operations are mutually exclusive. any such actual relationship or sequence exists between them. Furthermore, the terms "comprises," "comprises," or any other variations thereof are intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus that includes a list of elements includes not only those elements, but also those not expressly listed other elements, or elements inherent to the process, method, article or equipment. Without further limitation, an element defined by the statement "comprises a..." does not exclude the presence of additional identical elements in a process, method, article, or apparatus that includes the stated element.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311695277.6ACN117633751A (en) | 2023-12-11 | 2023-12-11 | Authentication method, device, electronic equipment and storage medium for sensitive operations |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311695277.6ACN117633751A (en) | 2023-12-11 | 2023-12-11 | Authentication method, device, electronic equipment and storage medium for sensitive operations |
| Publication Number | Publication Date |
|---|---|
| CN117633751Atrue CN117633751A (en) | 2024-03-01 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311695277.6APendingCN117633751A (en) | 2023-12-11 | 2023-12-11 | Authentication method, device, electronic equipment and storage medium for sensitive operations |
| Country | Link |
|---|---|
| CN (1) | CN117633751A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119004422A (en)* | 2024-08-08 | 2024-11-22 | 北京建恒信安科技有限公司 | Hierarchical identity verification method and device and electronic equipment |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9444824B1 (en)* | 2014-02-28 | 2016-09-13 | Intuit Inc. | Methods, systems, and articles of manufacture for implementing adaptive levels of assurance in a financial management system |
| CN110198301A (en)* | 2019-03-26 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of service data acquisition methods, device and equipment |
| CN110232265A (en)* | 2019-06-21 | 2019-09-13 | 杭州安恒信息技术股份有限公司 | Dual-identity authentication method, apparatus and system |
| CN113014576A (en)* | 2021-02-23 | 2021-06-22 | 中国联合网络通信集团有限公司 | Service authority control method, device, server and storage medium |
| CA3181818A1 (en)* | 2020-08-31 | 2022-03-03 | Xuandong Hua | Secured communications in medical monitoring systems |
| CN114978605A (en)* | 2022-04-25 | 2022-08-30 | 联仁健康医疗大数据科技股份有限公司 | Page access method and device, electronic equipment and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9444824B1 (en)* | 2014-02-28 | 2016-09-13 | Intuit Inc. | Methods, systems, and articles of manufacture for implementing adaptive levels of assurance in a financial management system |
| CN110198301A (en)* | 2019-03-26 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of service data acquisition methods, device and equipment |
| CN110232265A (en)* | 2019-06-21 | 2019-09-13 | 杭州安恒信息技术股份有限公司 | Dual-identity authentication method, apparatus and system |
| CA3181818A1 (en)* | 2020-08-31 | 2022-03-03 | Xuandong Hua | Secured communications in medical monitoring systems |
| CN113014576A (en)* | 2021-02-23 | 2021-06-22 | 中国联合网络通信集团有限公司 | Service authority control method, device, server and storage medium |
| CN114978605A (en)* | 2022-04-25 | 2022-08-30 | 联仁健康医疗大数据科技股份有限公司 | Page access method and device, electronic equipment and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119004422A (en)* | 2024-08-08 | 2024-11-22 | 北京建恒信安科技有限公司 | Hierarchical identity verification method and device and electronic equipment |
| Publication | Publication Date | Title |
|---|---|---|
| US11762979B2 (en) | Management of login information affected by a data breach | |
| WO2017076214A1 (en) | A sms-based website login method and login system thereof | |
| US10678528B1 (en) | Directory schema deployment with pipelines | |
| CN106465076B (en) | Method and terminal for controlling short message reading | |
| CN110059007B (en) | System vulnerability scanning method and device, computer equipment and storage medium | |
| US20210152571A1 (en) | Systems and methods for detecting security incidents | |
| CN111259368A (en) | Method and equipment for logging in system | |
| CN113378152B (en) | Operation and maintenance auditing method and device, storage medium and electronic equipment | |
| CN117633751A (en) | Authentication method, device, electronic equipment and storage medium for sensitive operations | |
| WO2023050524A1 (en) | Im-based user identity authentication method and apparatus, and server and storage medium | |
| CN113364755A (en) | Single sign-on method, device, equipment and medium based on IP address | |
| CN104780042A (en) | Two-layer authentication method, device and system for instant messaging | |
| US11356481B1 (en) | Preventing phishing attempts of one-time passwords | |
| CN113448919A (en) | Method, apparatus and computer program product for creating and verifying index files | |
| CN112416624B (en) | Application data interaction method and system based on open platform | |
| CN106230702A (en) | Identity information verification method, Apparatus and system | |
| CN106130864A (en) | A kind of privately owned cloud access method and apparatus based on VPN | |
| CN111475400B (en) | Verification method of service platform and related equipment | |
| CN105227314B (en) | Method and device for logging in system desktop | |
| US20230353596A1 (en) | Systems and methods for preventing one-time password phishing | |
| CN106998315A (en) | Method, device and system for registration and authentication | |
| CN111737129B (en) | Service control method, device, computer readable medium and electronic equipment | |
| CN111079140A (en) | Method, device and system for preventing cheating | |
| CN112383542B (en) | User login method and system, authentication end and user end | |
| CN107105046B (en) | Method and system for remote access to big data |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | Country or region after:China Address after:Building 1, 10th Floor 1-7, No. 76 Zhichun Road, Haidian District, Beijing 100082 (Office Building) Applicant after:BEIJING THREATBOOK TECHNOLOGY CO.,LTD. Address before:1-24, Floor 4, No. 49-3, Suzhou Street, Haidian District, Beijing, 100082 Applicant before:BEIJING THREATBOOK TECHNOLOGY CO.,LTD. Country or region before:China | |
| CB02 | Change of applicant information |