[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN114386073A - Method and device for creating security certificate, electronic equipment and storage medium - Google Patents

Method and device for creating security certificate, electronic equipment and storage medium Download PDF

Info

Publication number
CN114386073A
CN114386073A CN202210041368.7A CN202210041368A CN114386073A CN 114386073 A CN114386073 A CN 114386073A CN 202210041368 A CN202210041368 A CN 202210041368A CN 114386073 A CN114386073 A CN 114386073A
Authority
CN
China
Prior art keywords
access request
target
security certificate
target data
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210041368.7A
Other languages
Chinese (zh)
Inventor
韩旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CCB Finetech Co Ltd
Original Assignee
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CCB Finetech Co Ltd filed Critical CCB Finetech Co Ltd
Priority to CN202210041368.7A priority Critical patent/CN114386073A/en
Publication of CN114386073A publication Critical patent/CN114386073A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure provides a method for creating a security certificate, which can be applied to the technical field of computers. The method for creating the security certificate comprises the following steps: in response to receiving an access request from a user, determining whether target data corresponding to the access request needs encrypted transmission; in the event that it is determined that target data corresponding to the access request requires encrypted transmission, determining whether a security credential associated with the access request exists; in an instance in which it is determined that the security credential associated with the access request does not exist, creating a target security credential associated with the access request; and encrypting the target data according to the target security certificate to obtain encrypted target data. The present disclosure also provides an apparatus, an electronic device, a storage medium, and a program product for creating a security certificate.

Description

Method and device for creating security certificate, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, an electronic device, a storage medium, and a program product for creating a security certificate.
Background
The server operation and maintenance personnel need to create the security certificate in advance and store the security certificate in the database. When the user side needs to establish ciphertext data transmission connection with the server, the user side sends an access request to the server, and after receiving the access request of the user side, the server determines a security certificate associated with the access request. And according to the security certificate, the server encrypts the target data corresponding to the access request and sends the target data to the user side so as to be verified by the user side and establish ciphertext data transmission connection. In the event that the server determines that there are no security credentials associated with the access request, the server sends a transmission failure message to the user side.
Because the security certificates are created and stored in the database in advance at present, the security certificate associated with the access request of the user terminal cannot be created in time under the condition that the server determines that no security certificate associated with the received access request exists, so that the establishment of the ciphertext data transmission connection fails, and the user experience is influenced.
Disclosure of Invention
In view of the above, the present disclosure provides a method, apparatus, electronic device, storage medium, and program product for creating a security certificate. By verifying the mode field information in the access request, it is determined whether the target security certificate needs to be created in the absence of the security certificate associated with the access request. And under the condition that the self-adaptive mode is not opened, creating a security certificate associated with the access request for the user side to verify and establish the ciphertext data transmission connection. By the method, the probability of obtaining the encrypted target data by the user is improved on the basis of considering the encryption appeal of the user.
According to an aspect of the present disclosure, there is provided a method of creating a security certificate, including: in response to receiving an access request from a user, determining whether target data corresponding to the access request needs encrypted transmission; determining whether a security certificate associated with the access request exists in the event that it is determined that target data corresponding to the access request requires encrypted transmission; in an instance in which it is determined that the security credential associated with the access request does not exist, creating a target security credential associated with the access request; and encrypting the target data according to the target security certificate to obtain encrypted target data.
According to an embodiment of the present disclosure, the creating a target security credential associated with the access request comprises: acquiring mode field information in the access request, wherein the mode field information indicates whether to start an adaptive mode; and in the event that the mode field information indicates that the adaptive mode is not to be turned on, creating a target security credential associated with the access request.
According to an embodiment of the present disclosure, the creating a target security credential associated with the access request comprises: determining a service identifier according to the access request; according to the service identification, determining encryption information associated with the service identification; generating a first target security certificate according to the server identifier and the encryption information; and associating the first target security certificate with the challenge request.
According to an embodiment of the present disclosure, the encrypting the target data according to the target security certificate to obtain encrypted target data includes: acquiring a private key and a public key of the first target security certificate; encrypting the target data by using the private key to obtain first encrypted target data; the method further comprises the following steps: and sending the first encrypted target data and the public key to the user.
According to an embodiment of the present disclosure, the creating a target security credential associated with the access request further comprises: sending a target security certificate request, the target security certificate request including a server identification; and in response to receiving a second target security credential, associating the second target security credential with the access request.
According to an embodiment of the present disclosure, the target security certificate request further includes at least one of a service identifier, an encryption level, and an encryption algorithm.
According to an embodiment of the present disclosure, the encrypting the target data according to the target security certificate to obtain encrypted target data includes: obtaining a private key of the second target security certificate; encrypting the target data according to the private key to obtain second encrypted target data; the method further comprises the following steps: and sending the second encrypted target data to the user.
According to another aspect of the present disclosure, there is provided an apparatus for creating a security certificate, including: the device comprises a first determining module, a second determining module and a third determining module, wherein the first determining module is used for responding to an access request from a user and determining whether target data corresponding to the access request needs encrypted transmission or not; a second determination module, configured to determine whether a security certificate associated with the access request exists, if it is determined that target data corresponding to the access request needs encrypted transmission; a creation module to create a target security credential associated with the access request if it is determined that there is no security credential associated with the access request; and the encryption module is used for encrypting the target data according to the target security certificate to obtain encrypted target data.
According to another aspect of the present disclosure, there is provided an electronic device including: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-described method of creating security credentials.
According to another aspect of the present disclosure, there is also provided a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method of creating security credentials.
According to another aspect of the present disclosure, there is also provided a computer program product comprising a computer program which, when executed by a processor, implements the above-described method of creating a security certificate.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of a method, apparatus, device, medium, and program product for creating security certificates, in accordance with embodiments of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of a method of creating security credentials according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow diagram of a method of creating a security certificate according to another embodiment of the present disclosure;
FIG. 4 schematically illustrates a diagram of a method of creating a target security certificate according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a diagram of a method of creating a target security certificate according to another embodiment of the present disclosure;
fig. 6 schematically shows a block diagram of the structure of a device for creating a security certificate according to an embodiment of the present disclosure; and
fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement the method of creating security credentials according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The embodiment of the disclosure provides a method for creating a security certificate, which is used for responding to an access request received from a user and determining whether target data corresponding to the access request needs encrypted transmission or not; in the event that it is determined that target data corresponding to the access request requires encrypted transmission, determining whether a security credential associated with the access request exists; in an instance in which it is determined that the security credential associated with the access request does not exist, creating a target security credential associated with the access request; and encrypting the target data according to the target security certificate to obtain encrypted target data.
Fig. 1 schematically illustrates an application scenario for creating a security certificate according to an embodiment of the present disclosure.
As shown in fig. 1, the application scenario 100 according to this embodiment may include terminal devices 101, 102, 103. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the method for creating a security certificate provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the means for creating a security certificate provided by the embodiments of the present disclosure may be generally disposed in the server 105. The method for creating security certificates provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the device for creating a security certificate provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal apparatuses 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The method for creating a security certificate of the disclosed embodiment will be described in detail below with fig. 2 to 5 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flow chart of a method of creating a security certificate according to an embodiment of the present disclosure.
As shown in fig. 2, the method of creating a security certificate of this embodiment includes operations S210 to S240.
In operation S210, in response to receiving an access request from a user, it is determined whether target data corresponding to the access request requires encrypted transmission.
According to the embodiment of the disclosure, when a user wants to establish ciphertext data transmission connection with a server, the user sends an access request to the server. The access request may include at least one of a domain name, an IP address, and a data transfer mode. The server stores at least one domain name, and each domain name is associated with a data transmission mode corresponding to the domain name. And under the condition that the access request sent by the user is a domain name, the server determines the transmission mode of the target data corresponding to the access request according to the domain name.
Based on the access request sent by the user, the server determines whether the target data corresponding to the access request needs encrypted transmission.
In operation S220, in case it is determined that the target data corresponding to the access request requires encrypted transmission, it is determined whether a security certificate associated with the access request exists.
According to an embodiment of the present disclosure, a security certificate is a tool used to uniquely confirm the identity of a server. The security certificate may include a security certificate authority identification, a public key of a security certificate user key pair, an encryption algorithm used by the digital signature, and the digital signature. And storing the security certificate associated with the domain name in the database under the condition that the data transmission mode associated with the domain name is encrypted data transmission.
In the case where the data transfer mode corresponding to the user access request is encrypted, the server determines whether a security certificate associated with the access request exists in the database.
In operation S230, in the case where it is determined that there is no security certificate associated with the access request, a target security certificate associated with the access request is created.
According to the embodiment of the disclosure, under the condition that the security certificate associated with the access request exists in the database, the server encrypts the target data according to the private key of the certificate user corresponding to the public key of the security certificate user in the security certificate, and sends the encrypted target data to the user for the user to verify and establish the ciphertext data transmission connection.
In the event that the security credential associated with the access request does not exist within the database, the server creates a target security credential associated with the access request.
According to another embodiment of the present disclosure, a service identifier is determined according to an access request; and determining the encryption information associated with the service identifier according to the service identifier. And generating a first target security certificate according to the server identification and the encryption information. The first target security credential is associated with the access request.
The access request may also include encryption information. The encryption information includes an encryption algorithm used to encrypt the target data and an encryption algorithm level, the encryption algorithm level corresponding to a respective encryption algorithm. At least one service identification is stored in the database, and each service identification is associated with encryption information. The service identifier is a unique identifier representing a service type, for example, the service type may include a transaction type and a personal information type.
The encryption information used for generating the first target security certificate comprises the encryption information in the access request sent by the user and the encryption information stored in the database and associated with the service identification. Specifically, according to the domain name in the access request, a service identifier corresponding to the domain name in the challenge request is determined, and then according to the service identifier, encrypted information corresponding to the service identifier is determined.
And determining a key pair of the first target security certificate user, a first digital signature encryption algorithm and a first digital signature key pair according to the encryption information. The server firstly determines a first target security certificate file according to the server identification and a public key of a first target security certificate user key pair, and then performs irreversible encryption on the first target security certificate file according to a first digital signature encryption algorithm to obtain a first digital signature. And the server encrypts the first digital signature according to a private key in the key pair of the first digital signature to obtain a first encrypted digital signature. The first digital signature encryption algorithm includes a fifth version of the message digest algorithm (MD5 encryption algorithm), secure hash algorithm 2(SHA2 encryption algorithm), and a hashed message authentication code (HMAC encryption algorithm).
And generating a first target security certificate according to the first target security certificate file, the first digital signature algorithm and the first encrypted digital signature. The first target security credential is associated with the access request.
According to another embodiment of the disclosure, a target security certificate request is sent, the target security certificate request including a server identification. In response to receiving the second target security credential, the second target security credential is associated with the access request.
In operation S240, the target data is encrypted according to the target security certificate, so as to obtain encrypted target data.
According to the embodiment of the disclosure, a private key and a public key of a first target security certificate are obtained. And encrypting the target data by using a private key to obtain first encrypted target data. The first encrypted target data and the public key are sent to the user.
The private key of the first target security certificate comprises a private key of a first target security certificate user key pair, and the public key of the first target security certificate comprises a public key of a first digital signature key pair. And encrypting the target data by using a private key in the first target security certificate user key pair to obtain first encrypted target data. And sending the first encrypted target data and the public key in the first digital signature key pair to the user.
And after receiving the first encrypted target data and the public key in the first digital signature key pair, the user acquires a first target security certificate of the server. And decrypting the first encrypted digital signature in the first target security certificate according to the public key in the first digital signature key pair to obtain the first digital signature. And encrypting the first target security certificate file according to a first digital signature encryption algorithm in the first target security certificate to obtain a first verification digital signature. And comparing the first verification digital signature with the first digital signature, and acquiring a public key in a first target security certificate user key pair in the first target security certificate file under the condition that the first verification digital signature is consistent with the first digital signature. And decrypting the first encrypted target data according to the public key in the first target security certificate user key pair to obtain the target data. And under the condition that the first verification digital signature is inconsistent with the first digital signature, stopping establishing the ciphertext data transmission connection with the server.
According to another embodiment of the present disclosure, the target data is encrypted by using a private key of a first target security certificate user key pair to obtain first encrypted target data. And sending the first encrypted target data, the first target security certificate and the public key in the first digital signature key pair to a user so that the user can verify the first target security certificate file and establish ciphertext data transmission connection. The way in which the user verifies the first target security certificate file is the same as that described above, and is not described herein again.
According to another embodiment of the present disclosure, a private key of a second target security certificate is obtained. And encrypting the target data according to the private key to obtain second encrypted target data. And sending the second encrypted target data to the user.
Fig. 3 schematically shows a flow chart of a method of creating a security certificate according to another embodiment of the present disclosure.
As shown in fig. 3, the method of creating a security certificate of this embodiment includes the following operations.
In operation S311, an access request from a user is received.
According to the embodiment of the disclosure, when a user wants to establish ciphertext data transmission connection with a server, the user sends an access request to the server. The access request may include at least one of a domain name, an IP address, and a data transfer mode.
In operation S312, it is determined whether the target data corresponding to the access request requires encrypted transmission.
According to the embodiment of the disclosure, when the access request sent by the user is a data transmission mode, the server determines the transmission mode of the target data corresponding to the access request according to the data transmission mode sent by the user. And under the condition that the access request sent by the user is a domain name, the server determines the transmission mode of the target data corresponding to the access request according to the domain name. The server stores at least one domain name, and each domain name is associated with a data transmission mode corresponding to the domain name.
In operation S313, the target data is not encrypted.
According to the embodiment of the disclosure, whether target data corresponding to an access request needs to be transmitted in an encrypted manner is determined according to the received access request from a user. If it is determined that the target data corresponding to the access request needs to be transmitted in an encrypted manner, operation S320 is performed. If it is determined that the target data corresponding to the access request does not require encryption transmission, operation S313 is performed, where the target data is sent to the user without being encrypted.
In operation S320, it is determined whether a security certificate associated with the access request exists.
According to the embodiment of the present disclosure, in the case that the security certificate associated with the access request exists in the database, operation S340 is performed, and the target data is encrypted according to the target security certificate, so as to obtain the encrypted target data. In the case that the security certificate associated with the access request does not exist in the database, operation S331 is performed to obtain mode field information in the access request, where the mode field information indicates whether the adaptive mode is turned on. .
In operation S331, mode field information in the access request is acquired, the mode field information indicating whether the adaptive mode is turned on.
According to an embodiment of the present disclosure, the access request further includes mode field information indicating whether the adaptive mode is turned on. For example, in the case where the mode field information is null or the adaptive mode is turned on, it is indicated that the adaptive mode is turned on. In the case where the mode field information is not empty or the adaptive mode is not turned on, it is indicated that the adaptive mode is not turned on.
In operation S332, it is determined whether the mode field information indicates that the adaptation mode is turned on.
In operation S333, a target security certificate associated with the access request is created.
According to the embodiment of the disclosure, whether the mode field information indicates to open the adaptive mode is determined according to the mode field information in the acquired access request. In the case where the mode field information indicates that the adaptive mode is turned on, operation S313 is performed without encrypting the target data. In the case where the mode field information indicates that the adaptive mode is not turned on, operation S333 is performed to create a target security certificate associated with the access request.
According to the embodiment of the disclosure, a service identifier is determined according to an access request; and determining the encryption information associated with the service identifier according to the service identifier. And generating a first target security certificate according to the server identification and the encryption information. The first target security credential is associated with the access request.
According to another embodiment of the disclosure, a target security certificate request is sent, the target security certificate request including a server identification. In response to receiving the second target security certificate, the second target security certificate is associated with the challenge request.
The server sends a target security certificate request to the security certificate authority upon determining whether the mode field information indicates not to open the adaptive mode. The target security certificate request includes a server identification.
And after receiving the target security request sent by the server, the security certification authority generates a second target security certificate according to the target security request and sends payment information to the server. And after receiving the payment information sent by the security certification authority, the server sends the fund and the address with the same amount as the money in the payment information to the security certification authority according to the payment information. And after receiving the fund and the address sent by the server, the security certification authority sends the second target security certificate to the address sent by the server. The server associates the received second target credential with the access request.
The second target security certificate may include a second target security certificate file, a second cryptographic digital signature, and a second digital signature algorithm. The second target security certificate file includes the server identifier sent by the server and the public key of the key pair of the second target security certificate user. The second encrypted digital signature comprises a ciphertext obtained by encrypting the second digital signature according to a private key in the second digital signature key pair. The second digital signature comprises a ciphertext obtained by irreversibly encrypting the second target security certificate file according to a second digital signature encryption algorithm. It should be noted that the public key of the key pair of the second target security certificate user included in the second target security certificate file may be generated by the security certificate authority or may be sent to the security certificate authority by the server.
And the server receives a second target security certificate sent by the security certification authority and associates the second target security certificate with the access request.
According to another embodiment of the present disclosure, the target security certificate request further includes at least one of a service identification, an encryption level, and an encryption algorithm.
In operation S340, the target data is encrypted according to the target security certificate, so as to obtain encrypted target data.
The operation S340 may encrypt the target data according to the target security certificate by a method similar to the method described in the previous operation S240, so as to obtain the encrypted target data. And will not be described in detail herein.
According to another embodiment of the present disclosure, a private key of a second target security certificate is obtained. And encrypting the target data according to the private key to obtain second encrypted target data. And sending the second encrypted target data to the user.
The private key of the second target security certificate comprises a private key of a key pair of a user of the second target security certificate. And encrypting the target data by using a private key in the second target security certificate user key pair to obtain second encrypted target data. And sending the second encrypted target data to the user.
And after receiving the second encrypted target data, the user acquires a second target security certificate of the server and a public key in a key pair of a second digital signature. And the user verifies the second target security certificate and establishes ciphertext data transmission connection. The user verifies the second target security certificate file in the same way as the verification in operation S240, which is not described herein again.
According to another embodiment of the present disclosure, a private key of a second target security certificate is obtained. And encrypting the target data according to the private key to obtain second encrypted target data. The second encrypted target data and the second target security certificate are sent to the user. And the user verifies the second target security certificate and establishes ciphertext data transmission connection. The user verifies the second target security certificate file in the same way as the verification in operation S240, which is not described herein again.
The method and the device determine whether the target security certificate needs to be created or not under the condition that the security certificate associated with the access request does not exist by verifying the mode field information in the access request. And under the condition that the self-adaptive mode is not opened, creating a security certificate associated with the access request for the user side to verify and establish the ciphertext data transmission connection. By the method, the probability of obtaining the encrypted target data by the user is improved on the basis of considering the encryption appeal of the user.
Fig. 4 schematically illustrates a schematic flow chart of a method of creating a target security certificate according to an embodiment of the present disclosure.
As shown in fig. 4, a schematic flowchart 400 of a method of creating a target security certificate of this embodiment includes a user 401 and a server 402.
When user 401 wants to establish a ciphertext data transfer connection with server 402, user 401 sends an access request to server 402. After receiving the access request sent by the user 401, the server 402 determines whether the target data corresponding to the access request needs to be encrypted for transmission. In the case where the server 402 determines that there is no security credential associated with the access request and the mode field information in the access request indicates that the adaptive mode is not turned on, operation S230 is performed to create a first target security credential associated with the access request.
The server 402 encrypts the target data corresponding to the access request according to the private key of the key pair of the first target security certificate user to obtain first encrypted target data. Server 402 sends the first encrypted data and the public key of the first digitally signed key pair to user 401.
After obtaining the first target security certificate, the user 401 verifies the first target security certificate file in the first target security certificate according to the public key in the key pair of the first digital signature and the first target security certificate. And under the condition that the verification is passed, acquiring a public key in a first target security certificate user key pair in the first target security certificate file, and decrypting the first encrypted target data according to the public key in the first target security certificate user key pair to obtain the target data.
Those skilled in the art will appreciate that the above embodiments are merely examples, and that the interaction of particular users and servers of the present disclosure is not so limited.
Fig. 5 schematically shows a schematic flow chart for creating a target security certificate according to another embodiment of the present disclosure.
As shown in fig. 5, a schematic flowchart 500 of the method of creating a target security certificate of this embodiment includes a user 501, a server 502, and a security certificate authority 503.
User 501 sends an access request to server 502. After receiving the access request sent by the user 501, the server 502 determines whether the target data corresponding to the access request needs to be encrypted for transmission. In the case where the server 502 determines that there is no security credential associated with the access request and the mode field information in the access request indicates that the adaptive mode is not turned on, operation S333 is performed to create a second target security credential associated with the access request. Specifically, the server 502 sends a target security certificate request to the security certification authority 503, and after receiving the target security certificate request, the security certification authority 503 generates a second target security certificate according to the target security certificate request and sends the second target security certificate to the server 502.
After receiving the second target security certificate sent by the security certification authority 503, the server 502 encrypts the target data according to the private key of the second target security certificate user key pair to obtain second encrypted target data, and sends the second encrypted target data to the user 501.
After receiving the second encrypted target data sent by the server 502, the user sends a security certificate request to the security certification authority 503, and after receiving the security certificate request sent by the user 501, the security certification authority 503 sends the second target security certificate to the user 501. The security certificate request includes a server identification of server 502.
After obtaining the second target security certificate, the user 501 verifies the second target security certificate file in the second target security certificate according to the public key in the key pair of the second digital signature and the second target security certificate. And under the condition that the verification is passed, acquiring a public key in a second target security certificate user key pair in the second target security certificate file, and decrypting the second encrypted target data according to the public key in the second target security certificate user key pair to obtain the target data.
Those skilled in the art will appreciate that the above embodiments are merely examples, and the interaction between particular users, servers, and security certificate authorities of the present disclosure is not limited thereto.
Based on the method for creating the security certificate, the disclosure also provides a device for creating the security certificate. The apparatus will be described in detail below with reference to fig. 6.
Fig. 6 schematically shows a block diagram of the structure of the apparatus for creating a security certificate according to an embodiment of the present disclosure.
As shown in fig. 6, the apparatus 600 for creating a security certificate of this embodiment includes a first determining module 610, a second determining module 620, a creating module 630, and an encrypting module 640.
The first determining module 610 is configured to determine whether target data corresponding to an access request needs encrypted transmission in response to receiving the access request from a user. In an embodiment, the first determining module 610 may be configured to perform the operation S210 described above, and is not described herein again.
The second determination module 620 is configured to determine whether a security credential associated with the access request exists if it is determined that the target data corresponding to the access request requires encrypted transmission. In an embodiment, the second determining module 620 may be configured to perform the operation S220 described above, which is not described herein again.
The creation module 630 is configured to create a target security credential associated with the access request if it is determined that the security credential associated with the access request does not exist. In an embodiment, the creating module 630 may be configured to perform the operation S230 described above, which is not described herein again.
According to an embodiment of the present disclosure, the current creation module 630 is further configured to: acquiring mode field information in the access request, wherein the mode field information indicates whether to start a self-adaptive mode; and creating a target security credential associated with the access request if the mode field information indicates that the adaptive mode is not to be turned on.
According to an embodiment of the present disclosure, the current creation module 630 is further configured to: determining a service identifier according to the access request; according to the service identifier, determining encryption information associated with the service identifier; generating a first target security certificate according to the server identification and the encryption information; and associating the first target security credential with the access request.
According to an embodiment of the present disclosure, the current creation module 630 is further configured to: sending a target security certificate request, the security certificate request including a server identifier; and in response to receiving the second target security credential, associating the second target security credential with the access request. The target security certificate request further includes at least one of a service identification, an encryption level, and an encryption algorithm.
The encryption module 640 is configured to encrypt the target data according to the target security certificate to obtain encrypted target data. In an embodiment, the encryption module 640 may be configured to perform the operation S240 described above, which is not described herein again.
According to an embodiment of the present disclosure, the current encryption module 640 is further configured to obtain a private key and a public key of the first target security certificate; and encrypting the target data by using the private key to obtain first encrypted target data. The current encryption module 640 is further configured to send the first encryption target data and the public key to the user.
According to an embodiment of the present disclosure, the current encryption module 640 is further configured to obtain a private key of the second target security certificate; and encrypting the target data according to the private key to obtain second encrypted target data. The current encryption module 640 is further configured to send the second encrypted target data to the user.
According to an embodiment of the present disclosure, any plurality of the first determining module 610, the second determining module 620, the creating module 630, and the encrypting module 640 may be combined in one module to be implemented, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the first determining module 610, the second determining module 620, the creating module 630, and the encrypting module 640 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware, and firmware, or in a suitable combination of any of them. Alternatively, at least one of the first determining module 610, the second determining module 620, the creating module 630 and the encrypting module 640 may be at least partially implemented as a computer program module, which when executed, may perform a corresponding function.
Fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement the method of creating security credentials according to an embodiment of the present disclosure.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other by a bus 704. The processor 701 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. It is noted that the programs may also be stored in one or more memories other than the ROM 702 and RAM 703. The processor 701 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 700 may also include input/output (I/O) interface 705, which input/output (I/O) interface 705 is also connected to bus 704, according to an embodiment of the present disclosure. The electronic device 700 may also include one or more of the following components connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 702 and/or the RAM 703 and/or one or more memories other than the ROM 702 and the RAM 703 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the item recommendation method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 701. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program, when executed by the processor 701, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (11)

1. A method of creating a security certificate, comprising:
in response to receiving an access request from a user, determining whether target data corresponding to the access request needs encrypted transmission;
determining whether a security certificate associated with the access request exists in the event that it is determined that target data corresponding to the access request requires encrypted transmission;
in an instance in which it is determined that the security credential associated with the access request does not exist, creating a target security credential associated with the access request; and
and encrypting the target data according to the target security certificate to obtain encrypted target data.
2. The method of claim 1, wherein the creating a target security credential associated with the access request comprises:
acquiring mode field information in the access request, wherein the mode field information indicates whether to start an adaptive mode; and
in the event that the mode field information indicates that an adaptive mode is not to be turned on, a target security credential associated with the access request is created.
3. The method of claim 1 or 2, wherein the creating a target security credential associated with the access request comprises:
determining a service identifier according to the access request;
according to the service identification, determining encryption information associated with the service identification;
generating a first target security certificate according to the server identifier and the encryption information; and
associating the first target security credential with the access request.
4. The method of claim 3, wherein the encrypting the target data according to the target security certificate comprises:
acquiring a private key and a public key of the first target security certificate; and
encrypting target data by using the private key to obtain first encrypted target data;
the method further comprises the following steps:
and sending the first encrypted target data and the public key to the user.
5. The method of claim 1 or 2, wherein the creating a target security credential associated with the access request further comprises:
sending a target security certificate request, the target security certificate request including a server identification; and
in response to receiving a second target security credential, associating the second target security credential with the access request.
6. The method of claim 5, wherein the target security certificate request further comprises at least one of a traffic identification, an encryption level, and an encryption algorithm.
7. The method of claim 5, wherein the encrypting the target data according to the target security certificate comprises:
obtaining a private key of the second target security certificate; and
encrypting the target data according to the private key to obtain second encrypted target data;
the method further comprises the following steps:
and sending the second encrypted target data to the user.
8. An apparatus for creating a security certificate, comprising:
the first determination module is used for responding to the received access request from a user and determining whether target data corresponding to the access request needs encrypted transmission or not;
a second determination module, configured to determine whether a security certificate associated with the access request exists, if it is determined that target data corresponding to the access request needs encrypted transmission;
a creation module to create a target security credential associated with the access request if it is determined that there is no security credential associated with the access request; and
and the encryption module is used for encrypting the target data according to the target security certificate to obtain encrypted target data.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 7.
11. A computer program product comprising a computer program which, when executed by a processor, implements a method according to any one of claims 1 to 7.
CN202210041368.7A 2022-01-14 2022-01-14 Method and device for creating security certificate, electronic equipment and storage medium Pending CN114386073A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210041368.7A CN114386073A (en) 2022-01-14 2022-01-14 Method and device for creating security certificate, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210041368.7A CN114386073A (en) 2022-01-14 2022-01-14 Method and device for creating security certificate, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114386073A true CN114386073A (en) 2022-04-22

Family

ID=81200901

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210041368.7A Pending CN114386073A (en) 2022-01-14 2022-01-14 Method and device for creating security certificate, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114386073A (en)

Similar Documents

Publication Publication Date Title
US10824701B2 (en) System and method for mapping decentralized identifiers to real-world entities
US12074864B2 (en) Non-custodial tool for building decentralized computer applications
WO2021000337A1 (en) System and method for mapping decentralized identifiers to real-world entities
CN109274652B (en) Identity information verification system, method and device and computer storage medium
US20210056541A1 (en) Method and system for mobile cryptocurrency wallet connectivity
US10333716B2 (en) Script verification using a digital signature
CN114024710A (en) Data transmission method, device, system and equipment
CN113949566B (en) Resource access method, device, electronic equipment and medium
CN114584299A (en) Data processing method and device, electronic equipment and storage medium
CN110471908A (en) A kind of joint modeling method and device
CN113094190B (en) Micro-service calling method, micro-service calling device, electronic equipment and storage medium
CN113282951B (en) Application program security verification method, device and equipment
CN114640524A (en) Method, apparatus, device and medium for processing transaction replay attack
CN110399706B (en) Authorization authentication method, device and computer system
CN118114222A (en) Authentication method, device, system, equipment and medium for data product
CN113472785B (en) Data processing method and device, electronic equipment and readable storage medium
CN116346486A (en) Combined login method, device, equipment and storage medium
CN114861144A (en) Data authority processing method based on block chain
CN114386073A (en) Method and device for creating security certificate, electronic equipment and storage medium
CN114584378A (en) Data processing method, device, electronic equipment and medium
CN114553570B (en) Method, device, electronic equipment and storage medium for generating token
CN112995170A (en) Method, device and system for protecting website user information
CN114826616B (en) Data processing method, device, electronic equipment and medium
CN116226932A (en) Service data verification method and device, computer medium and electronic equipment
CN118432935A (en) Information authentication method, apparatus, device, medium, and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination