CN106411520B - Method, device and system for processing virtual resource data - Google Patents
Method, device and system for processing virtual resource data Download PDFInfo
- Publication number
- CN106411520B CN106411520B CN201510455785.6A CN201510455785A CN106411520B CN 106411520 B CN106411520 B CN 106411520B CN 201510455785 A CN201510455785 A CN 201510455785A CN 106411520 B CN106411520 B CN 106411520B
- Authority
- CN
- China
- Prior art keywords
- challenge code
- digital signature
- virtual resource
- client
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method, a device and a system for processing virtual resource data, wherein the method comprises the steps of sending a transfer request of virtual resources, wherein the transfer request carries field information related to the request; acquiring a first challenge code generated after encryption by using a public key of a client certificate; acquiring a private key of a client certificate, and decrypting the first challenge code by using the private key of the client certificate; generating a first digital signature according to the decrypted first challenge code and the field information; when the first digital signature is determined to be consistent with the second digital signature in the server, then the virtual resource transfer is indicated to be allowed. Since the attacker does not have the client certificate of the user and cannot decrypt the challenge code encrypted by the public key, the attacker cannot imitate the signature of the user; the digital signature comprises relevant information corresponding to the payment request, and the signature can only be used for the transaction, so that the security of the transaction is ensured; the challenge code is set in advance, so that the load pressure brought to the server during the peak payment is greatly reduced, and the running speed is improved.
Description
Technical Field
The present invention belongs to the field of communications technologies, and in particular, to a method, an apparatus, and a system for processing virtual resource data.
Background
With the continuous progress of internet technology, people have higher and higher requirements on internet security.
Taking quick payment based on a client digital certificate as an example, when a payment request is initiated, a private key in the client digital certificate is used for digitally signing part of field pairs in the payment request at first, then signed data is used as a new field and submitted to a payment background server together with other information in the payment request, the background server decrypts the signature by using a public key of the certificate after receiving the request, and if the decryption is successful and the decrypted data is correct, the payment request is considered to be correct for a user. Because the private key of the client certificate can be obtained only on the terminal equipment of the user, other people can hardly copy the signature of the user.
During the research and practice process of the prior art, the inventor of the present invention found that when a payment request of a user is processed in the background, the signature of the user encrypted by using an asymmetric encryption algorithm needs to be decrypted in real time, and the efficiency of encryption and decryption by using the asymmetric encryption algorithm is quite low. Taking the public key encryption algorithm (RSA, RSA algorithm) as an example, the encryption/decryption speed is about 1/1000 of a symmetric encryption algorithm with the same encryption strength. Under the design, the pressure of the certificate user on the background server is necessarily obviously greater than that of the non-certificate user, and the operation efficiency is relatively low.
Disclosure of Invention
The invention aims to provide a method and a device for processing virtual resource data, aiming at reducing the load pressure of a server and improving the running speed of the server.
To solve the above technical problem, a first aspect of an embodiment of the present invention provides:
a method for processing virtual resource data comprises the following steps:
sending a transfer request of virtual resource data, wherein the transfer request carries field information related to the request;
acquiring a first challenge code preset by a server according to the transfer request, wherein the first challenge code is generated after being encrypted by a public key of a client certificate;
obtaining a private key of a client certificate, and decrypting the first challenge code by using the private key of the client certificate;
generating a first digital signature according to the decrypted first challenge code and the field information;
when the first digital signature is determined to be consistent with a second digital signature, indicating that the virtual resource transfer is allowed, wherein the second digital signature is a digital signature generated by the server.
A second aspect of embodiments of the present invention provides:
a method for processing virtual resource data comprises the following steps:
receiving a transfer request of virtual resource data, wherein the transfer request carries field information related to the request;
sending a preset first challenge code to the client according to the transfer request, wherein the first challenge code is generated after being encrypted by a public key of a client certificate;
receiving a first digital signature sent by a client, wherein the first digital signature is generated by the client by decrypting the first challenge code by using a private key of a client certificate and according to the decrypted first challenge code and the field information;
when the first digital signature is determined to be consistent with a second digital signature, indicating that the virtual resource transfer is allowed, wherein the second digital signature is a digital signature generated by the server.
A third aspect of embodiments of the present invention provides:
an apparatus for processing virtual resource data, comprising:
the first sending module is used for sending a transfer request of the virtual resource data, wherein the transfer request carries field information related to the request;
the first obtaining module is used for obtaining a first challenge code preset by the server according to the transfer request, and the first challenge code is generated after being encrypted by a public key of the client certificate;
the decryption module is used for acquiring a private key of the client certificate and decrypting the first challenge code by using the private key of the client certificate;
the first generation module is used for generating a first digital signature according to the decrypted first challenge code and the field information;
a first indication module, configured to indicate that the virtual resource is allowed to be transferred when it is determined that the first digital signature is consistent with a second digital signature, where the second digital signature is a digital signature generated by the server.
A fourth aspect of embodiments of the present invention provides:
an apparatus for processing virtual resource data, comprising:
a second receiving module, configured to receive a transfer request of virtual resource data, where the transfer request carries field information related to the request;
the third sending module is used for sending a preset first challenge code to the client according to the transfer request, wherein the first challenge code is generated after being encrypted by using a public key of a client certificate;
the third receiving module is used for receiving a first digital signature sent by a client, wherein the first digital signature is generated by the client by decrypting the first challenge code by using a private key of a client certificate and according to the decrypted first challenge code and the field information;
and the second indicating module is used for indicating that the virtual resource transfer is allowed when the first digital signature is determined to be consistent with a second digital signature, wherein the second digital signature is a digital signature generated by the server.
A fifth aspect of embodiments of the present invention provides:
a processing system of virtual resource data, comprising a client and a server, wherein the client is a processing device of virtual resource data provided by the third aspect, and the server is a processing device of virtual resource data provided by the fourth aspect.
Compared with the prior art, in the embodiment, the server uses the public key in the client certificate in advance to generate the challenge code for the user; decrypting the challenge code by using a private key of the client certificate when the user requests the virtual resource transfer; then generating a digital signature according to the decrypted challenge code and the field information related to the request; the server confirms whether the virtual resource transfer request is legal or not by verifying the correctness of the digital signature generated by the client; since the attacker does not have the client certificate of the user and cannot decrypt the challenge code encrypted by the public key, the attacker cannot imitate the signature of the user. The generated digital signature contains the relevant information corresponding to the payment request, and the signature can only be used for the transaction, so that the security of the transaction can be ensured; and moreover, as the challenge code is set in advance, the load pressure brought to the server during the peak payment is greatly reduced, and the running speed of the server is improved.
Drawings
The technical solution and other advantages of the present invention will become apparent from the following detailed description of specific embodiments of the present invention, which is to be read in connection with the accompanying drawings.
Fig. 1 is a flowchart illustrating a processing method of virtual resource data according to a first embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for processing virtual resource data according to a second embodiment of the present invention;
fig. 3 is a flowchart illustrating a method for processing virtual resource data according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a virtual resource data processing apparatus according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a virtual resource data processing apparatus according to a fifth embodiment of the present invention;
fig. 6 is a schematic structural diagram of a system for processing virtual resource data according to a sixth embodiment of the present invention.
Detailed Description
Referring to the drawings, wherein like reference numbers refer to like elements, the principles of the present invention are illustrated as being implemented in a suitable computing environment. The following description is based on illustrated embodiments of the invention and should not be taken as limiting the invention with regard to other embodiments that are not detailed herein.
In the description that follows, specific embodiments of the present invention are described with reference to steps and symbols executed by one or more computers, unless otherwise indicated. Accordingly, these steps and operations will be referred to, several times, as being performed by a computer, the computer performing operations involving a processing unit of the computer in electronic signals representing data in a structured form. This operation transforms the data or maintains it at locations in the computer's memory system, which may be reconfigured or otherwise altered in a manner well known to those skilled in the art. The data maintains a data structure that is a physical location of the memory that has particular characteristics defined by the data format. However, while the principles of the invention have been described in language specific to above, it is not intended to be limited to the specific form set forth herein, but on the contrary, it is to be understood that various steps and operations described hereinafter may be implemented in hardware.
The principles of the present invention are operational with numerous other general purpose or special purpose computing, communication environments or configurations. Examples of well known computing systems, environments, and configurations that may be suitable for use with the invention include, but are not limited to, hand-held telephones, personal computers, servers, multiprocessor systems, microcomputer-based systems, mainframe-based computers, and distributed computing environments that include any of the above systems or devices.
The term "module" as used herein may be considered a software object executing on the computing system. The various components, modules, engines, and services described herein may be viewed as objects implemented on the computing system. The apparatus and method described herein are preferably implemented in software, but may also be implemented in hardware, and are within the scope of the present invention.
First embodiment
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for processing virtual resource data according to a first embodiment of the present invention. The method comprises the following steps:
in step S101, a transfer request of virtual resource data is sent, where the transfer request carries field information related to the request.
It is understood that the method for processing the virtual resource data may be executed on a client, and the client may be a terminal with computing capability, such as a notebook computer, a tablet pc (personal computer), a mobile phone, and the like, which has a storage unit and is installed with a microprocessor, and the present invention is not limited thereto.
The virtual resource data transfer request in the embodiment of the present invention may include mobile payment processing, deduction processing, transfer processing, and the like, and is not limited specifically here.
In step S102, a first challenge code preset by the server is obtained according to the transfer request, and the first challenge code is generated after being encrypted by using a public key of the client certificate.
In step S103, a private key of the client certificate is obtained, and the first challenge code is decrypted by using the private key of the client certificate.
In step S104, a first digital signature is generated according to the decrypted first challenge code and the field information.
The steps S102 to S104 may specifically be:
it is understood that the challenge code (challenge) is also called a challenge password, and refers to a set of encrypted passwords generated by following a handshake authentication protocol, and is used for ensuring that the true password of the user is not leaked during the transmission process. In the embodiment of the invention, the first challenge code is generated after a server encrypts by using a public key of a client certificate; it is to be understood that "first" and "second" in the present embodiment are merely for convenience of distinguishing and description, and are not to be construed as limiting.
After the client acquires the first challenge code of the server, the client decrypts the first challenge code by using a private key of a client certificate, and then generates a first digital signature according to the decrypted first challenge code and field information related to the request.
In step S105, when it is determined that the first digital signature is consistent with the second digital signature in the server, it indicates that the virtual resource transfer is allowed.
The server obtains a first digital signature generated by the client, compares the first digital signature with a second digital signature generated by the client, and accepts a virtual resource transfer request sent by the client if the first digital signature is consistent with the second digital signature, and the client indicates to a user that the virtual resource transfer is allowed.
As can be seen from the above, in the processing method of virtual resource data provided in this embodiment, the server uses the public key in the client certificate in advance to generate the challenge code for the user; decrypting the challenge code by using a private key of the client certificate when the user requests the virtual resource transfer; then generating a digital signature according to the decrypted challenge code and the field information related to the request; the server confirms whether the virtual resource transfer request is legal or not by verifying the correctness of the digital signature generated by the client; since the attacker does not have the client certificate of the user and cannot decrypt the challenge code encrypted by the public key, the attacker cannot imitate the signature of the user. The generated digital signature contains the relevant information corresponding to the payment request, and the signature can only be used for the transaction, so that the security of the transaction can be ensured; and moreover, as the challenge code is set in advance, the load pressure brought to the server during the peak payment is greatly reduced, and the running speed of the server is improved.
Second embodiment
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for processing virtual resource data according to a second embodiment of the present invention.
The embodiment provides a processing method of virtual resource data corresponding to the first embodiment; the method is operated on the basis of a server, and the server receives a virtual resource transfer request sent by a client and processes the virtual resource transfer request; the client can be a terminal with a storage unit, a microprocessor and an arithmetic capability, such as a notebook computer, a tablet PC, a mobile phone and the like; the virtual resource data transfer request in the embodiment of the present invention may include mobile payment processing, deduction processing, transfer processing, and the like, and is not limited specifically here.
The method comprises the following steps:
in step S201, a transfer request of virtual resource data is received, where the transfer request carries field information related to the request.
In step S202, according to the transfer request, a preset first challenge code is sent to the client, where the first challenge code is generated after being encrypted by using a public key of the client certificate.
In step S203, a first digital signature sent by the client is received, where the first digital signature is generated by the client by decrypting the first challenge code with a private key of a client certificate and according to the decrypted first challenge code and the field information.
The steps S201 and S203 may specifically be:
it is understood that the challenge code, also referred to as a challenge password, refers to a set of encrypted passwords generated following a handshake authentication protocol for ensuring that the user's true password is not revealed during transmission. In the embodiment of the present invention, the first challenge code is a challenge code generated by a server after being encrypted by using a public key of a client certificate.
After the client acquires the first challenge code of the server, the client decrypts the first challenge code by using a private key of a client certificate, then generates a first digital signature according to the decrypted first challenge code and field information related to the request, and sends the first digital signature to the server; since the attacker does not have the client certificate of the user and cannot decrypt the first challenge code encrypted by the public key, the attacker cannot imitate the digital signature of the user, and the transaction security is improved.
In step S204, when it is determined that the first digital signature is consistent with the second digital signature in the server, it indicates that the virtual resource transfer is allowed.
The server obtains a first digital signature generated by the client, compares the first digital signature with a second digital signature generated by the client, and accepts a virtual resource transfer request sent by the client if the first digital signature is consistent with the second digital signature, and the client indicates to a user that the virtual resource transfer is allowed.
As can be seen from the above, in the processing method of virtual resource data provided in this embodiment, the server uses the public key in the client certificate in advance to generate the challenge code for the user; decrypting the challenge code by using a private key of the client certificate when the user requests the virtual resource transfer; then generating a digital signature according to the decrypted challenge code and the field information related to the request; the server confirms whether the virtual resource transfer request is legal or not by verifying the correctness of the digital signature generated by the client; since the attacker does not have the client certificate of the user and cannot decrypt the challenge code encrypted by the public key, the attacker cannot imitate the signature of the user. The generated digital signature contains the relevant information corresponding to the payment request, and the signature can only be used for the transaction, so that the security of the transaction can be ensured; and moreover, as the challenge code is set in advance, the load pressure brought to the server during the peak payment is greatly reduced, and the running speed of the server is improved.
Third embodiment
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for processing virtual resource data according to a third embodiment of the present invention. The method comprises the following steps:
in step S301, the server receives user information;
in step S302, the server generates a corresponding second challenge code according to the user information, where the second challenge code carries a corresponding challenge code plaintext and a challenge code ciphertext;
in step S303, the server acquires a public key of the user client certificate indicated by the user information;
in step S304, the server encrypts the second challenge code by using the public key of the client certificate, generates a first challenge code, and stores the challenge code plaintext and the challenge code ciphertext.
The steps S301 to S304 may specifically be: the first challenge code preset in the server may be set before the virtual resource is transferred, where the first challenge code is generated after the server is encrypted by using a public key of the client certificate.
It is understood that, for a client, before sending a request for transferring a virtual resource, user information is sent, so that the server performs processing according to the user information to generate a first challenge code, where the processing includes: the server generates a corresponding second challenge code according to the user information, acquires a public key of a client certificate indicated by the user information, and encrypts the second challenge code by using the public key of the client certificate to generate a first challenge code.
In step S305, the client sends a transfer request of virtual resource data, where the transfer request carries field information related to the request;
in this embodiment of the present invention, the request for transferring the virtual resource data may include mobile payment processing, deduction processing, transfer processing, and the like, which is not specifically limited herein.
In step S306, the server sends a preset first challenge code to the client according to the transfer request;
in step S307, the client acquires a private key of the client certificate, and decrypts the first challenge code using the private key of the client certificate;
in step S308, the client generates a first digital signature according to the decrypted first challenge code and the field information;
the steps S306 to S308 may specifically be:
preferably, the client generates the first digital signature by using a one-way hash algorithm according to the decrypted first challenge code and the order number field in the field information.
After the client acquires the first challenge code, the client decrypts the first challenge code by using a private key of a client certificate, then generates a first digital signature according to the decrypted first challenge code and field information related to a request, and sends the first digital signature and the field information to the server; since the attacker does not have the client certificate of the user and cannot decrypt the first challenge code encrypted by the public key, the attacker cannot imitate the digital signature of the user, and the transaction security is improved.
In step S309, the server obtains the first digital signature, and compares the first digital signature with a second digital signature in the server;
it can be understood that, after the server acquires the first digital signature and the field information, the server may generate a second digital signature by using the same algorithm, such as the above one-way hash algorithm, according to the challenge code plaintext and the field information; the server acquires a first digital signature generated by the client, compares the first digital signature with a second digital signature to obtain a comparison result, and sends the comparison result to the client.
And for the client, the client receives a comparison result sent by the server, the comparison result is obtained by the server according to the challenge code plaintext and the field information to generate a second digital signature, and the first digital signature and the second digital signature are compared.
In step S310, when it is determined that the first digital signature is consistent with the second digital signature in the server, it indicates that the virtual resource transfer is allowed.
And aiming at the client, when the client determines that the first digital signature is consistent with the second digital signature according to the comparison result, indicating that the virtual resource transfer is allowed.
To facilitate understanding of the technical solution of the present invention, based on the above embodiment, the following analysis and description are performed on the processing method of the virtual resource data in a specific application scenario:
in the scenario, the virtual resource transfer specifically refers to payment processing between a client and a server, wherein the server may specifically be a payment background server, and the client may specifically be a mobile phone;
the method comprises the following steps:
step S1, the client sends a payment request to the payment background server;
namely, after ordering by using a client, a user clicks on payment to trigger the payment request to be sent to a server.
Step S2, the payment background server receives the payment request and returns a first challenge code encrypted by the public key of the client certificate;
and the payment background server detects the legality of the order and returns the first challenge code and information such as the details of the order and the supported payment mode.
And step S3, after receiving the first challenge code, the client pops up a payment confirmation interface for the user to confirm the correctness of the payment mode and the order information.
The user clicks the determination and proceeds to step S4.
Step S4, the client uses the private key in the client certificate to decrypt the first challenge code, and then uses the fields of the decrypted first challenge code, the order number, the payment mode selected by the user and the like to generate a signature field Signtr (namely a first digital signature) by using an MD5 algorithm; SignStr is then sent to the payment backend server along with the order number, payment method, and other payment related information.
And step S5, the payment background server generates a signature field (namely a second digital signature) by using the information such as the challenge code plaintext, the order number and the like by adopting the same algorithm of the client, compares the signature field with the signature field transmitted by the client for verification, and if the signature passes the verification, the payment is completed according to the fact that the payment success can be directly returned to the client or the user is required to verify the payment password and the short message verification code.
As can be seen from the above, in the processing method of virtual resource data provided in this embodiment, the server uses the public key in the client certificate in advance to generate the challenge code for the user; decrypting the challenge code by using a private key of the client certificate when the user requests the virtual resource transfer; then generating a digital signature according to the decrypted challenge code and the field information related to the request; the server confirms whether the virtual resource transfer request is legal or not by verifying the correctness of the digital signature generated by the client; since the attacker does not have the client certificate of the user and cannot decrypt the challenge code encrypted by the public key, the attacker cannot imitate the signature of the user. The generated digital signature contains the relevant information corresponding to the payment request, and the signature can only be used for the transaction, so that the security of the transaction can be ensured; and moreover, as the challenge code is set in advance, the load pressure brought to the server during the peak payment is greatly reduced, and the running speed of the server is improved. Furthermore, the service operation cost of quick payment based on the client digital certificate is reduced.
Fourth embodiment
In order to better implement the method for processing virtual resource data provided in the embodiments of the present invention, an embodiment of the present invention further provides a device based on the method for processing virtual resource data. The terms are the same as those in the method for processing virtual resources in the first embodiment, and details of implementation may refer to the description in the method embodiment.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a virtual resource data processing apparatus according to an embodiment of the present invention, where the virtual resource data processing apparatus is capable of operating on a client, and the client may be a terminal with computing capability, such as a notebook computer, a tablet PC, and a mobile phone, and the terminal has a storage unit and is installed with a microprocessor.
As shown in fig. 4, the processing apparatus of virtual resource data according to the present invention may include a first sending module 401, a first obtaining module 402, a decrypting module 403, a first generating module 404, and a first indicating module 405.
The first sending module 401 is configured to send a transfer request of virtual resource data, where the transfer request carries field information related to the request; the first obtaining module 402 is configured to obtain a first challenge code preset by a server according to the transfer request, where the first challenge code is generated after being encrypted by using a public key of a client certificate;
the decryption module 403 is configured to obtain a private key of a client certificate, and decrypt the first challenge code by using the private key of the client certificate; the first generating module 404 is configured to generate a first digital signature according to the decrypted first challenge code and the field information; the first indicating module 405 is configured to indicate that the virtual resource transfer is allowed when it is determined that the first digital signature is consistent with the second digital signature in the server.
Based on the processing apparatus of virtual resource data provided in fig. 4, the following preferable settings can also be made:
the first generating module 404 is specifically configured to: and generating a first digital signature by using a one-way hash algorithm according to the decrypted first challenge code and the order number field in the field information.
Further preferably, the apparatus may further include: the second sending module is used for sending the first digital signature and the field information to a server; the first receiving module is used for receiving a comparison result sent by the server, the comparison result is obtained by the server according to a challenge code plaintext carried by a second challenge code and the field information and comparing the first digital signature with the second digital signature, and the second challenge code is generated by the server according to user information sent by the client; based on this, the first indication module 405 is specifically configured to: indicating that the virtual resource transfer is allowed when the first digital signature is determined to be consistent with the second digital signature according to the comparison result.
It is understood that, for parts that are not described in detail in this embodiment, reference may be made to the detailed description of the processing method for virtual resource data in the first and third embodiments, and details are not described here again.
As can be seen from the above, in the processing apparatus for virtual resource data provided in this embodiment, the server uses the public key in the client certificate in advance to generate the challenge code for the user; decrypting the challenge code by using a private key of the client certificate when the user requests the virtual resource transfer; then generating a digital signature according to the decrypted challenge code and the field information related to the request; the server confirms whether the virtual resource transfer request is legal or not by verifying the correctness of the digital signature generated by the client; since the attacker does not have the client certificate of the user and cannot decrypt the challenge code encrypted by the public key, the attacker cannot imitate the signature of the user. The generated digital signature contains the relevant information corresponding to the payment request, and the signature can only be used for the transaction, so that the security of the transaction can be ensured; and moreover, as the challenge code is set in advance, the load pressure brought to the server during the peak payment is greatly reduced, and the running speed of the server is improved.
Fifth embodiment
Referring to fig. 5, fig. 5 is a schematic structural diagram of a virtual resource data processing apparatus according to an embodiment of the present invention, wherein the meaning of the noun is the same as that in the method for processing the virtual resource in the second embodiment, and specific implementation details can refer to the description in the method embodiment.
Preferably, the processing device of the virtual resource data includes a second receiving module 501, a third sending module 502, a third receiving module 503, and a second indicating module 504;
the second receiving module 501 is configured to receive a transfer request of virtual resource data, where the transfer request carries field information related to the request; the third sending module 502 is configured to send a preset first challenge code to the client according to the transfer request, where the first challenge code is generated after being encrypted by using a public key of a client certificate;
the third receiving module 503 is configured to receive a first digital signature sent by a client, where the first digital signature is generated by the client by decrypting the first challenge code with a private key of a client certificate and according to the decrypted first challenge code and the field information; the second indicating module 504 is configured to indicate that the virtual resource transfer is allowed when it is determined that the first digital signature is consistent with the second digital signature in the server.
Further, based on the processing apparatus of virtual resource data provided in fig. 5, the following preferable settings may also be made:
preferably, the apparatus may further include: the fourth receiving module is used for receiving the user information; the second generation module is used for generating a corresponding second challenge code according to the user information, wherein the second challenge code carries a corresponding challenge code plaintext and a challenge code ciphertext; the second acquisition module is used for acquiring the public key of the user client certificate indicated by the user information; and the encryption storage module is used for encrypting the second challenge code by using the public key of the client certificate to generate a first challenge code and storing the challenge code plaintext and the challenge code ciphertext.
Further preferably, the apparatus may further include: a fifth receiving module, configured to receive the first digital signature and the field information sent by the client; a third generating module, configured to generate a second digital signature using the challenge code plaintext and the field information; the comparison module is used for comparing the first digital signature with the second digital signature to obtain a comparison result; and the fourth sending module is used for sending the comparison result to the client.
It is understood that, for parts that are not described in detail in this embodiment, reference may be made to the detailed description of the processing method for virtual resource data in the second and third embodiments above, and details are not described here again.
As can be seen from the above, in the processing apparatus for virtual resource data provided in this embodiment, the server uses the public key in the client certificate in advance to generate the challenge code for the user; decrypting the challenge code by using a private key of the client certificate when the user requests the virtual resource transfer; then generating a digital signature according to the decrypted challenge code and the field information related to the request; the server confirms whether the virtual resource transfer request is legal or not by verifying the correctness of the digital signature generated by the client; since the attacker does not have the client certificate of the user and cannot decrypt the challenge code encrypted by the public key, the attacker cannot imitate the signature of the user. The generated digital signature contains the relevant information corresponding to the payment request, and the signature can only be used for the transaction, so that the security of the transaction can be ensured; and moreover, as the challenge code is set in advance, the load pressure brought to the server during the peak payment is greatly reduced, and the running speed of the server is improved.
Sixth embodiment
Referring to fig. 6, fig. 6 is a schematic structural diagram of a virtual resource processing system according to an embodiment of the present invention, where the virtual resource processing system includes: a server 601 and a client 602, wherein the client 602 may specifically be a processing device of virtual resource data according to the fourth embodiment, and the server 601 is a processing device of virtual resource data according to the fifth embodiment.
The client 602 is configured to send a transfer request of virtual resource data, where the transfer request carries field information related to the request; acquiring a first challenge code preset by a server according to the transfer request, wherein the first challenge code is generated after being encrypted by a public key of a client certificate; obtaining a private key of a client certificate, and decrypting the first challenge code by using the private key of the client certificate; generating a first digital signature according to the decrypted first challenge code and the field information; when the first digital signature is determined to be consistent with a second digital signature in the server, indicating that the virtual resource transfer is allowed.
The server 601 is configured to receive a transfer request of virtual resource data, where the transfer request carries field information related to the request; sending a preset first challenge code to the client according to the transfer request, wherein the first challenge code is generated after being encrypted by a public key of a client certificate; receiving a first digital signature sent by a client, wherein the first digital signature is generated by the client by decrypting the first challenge code by using a private key of a client certificate and according to the decrypted first challenge code and the field information; when the first digital signature is determined to be consistent with a second digital signature in the server, indicating that the virtual resource transfer is allowed.
In the foregoing embodiments, the descriptions of the embodiments have respective emphasis, and parts that are not described in detail in a certain embodiment may refer to the above detailed description of the processing method for virtual resource data, and are not described herein again.
The processing apparatus of virtual resource data provided in the embodiments of the present invention, such as a computer, a tablet computer, a mobile phone with a touch function, and the like, belongs to the same concept as the processing method of virtual resource data in the above embodiments, and any method provided in the processing method embodiment of virtual resource data may be run on the processing apparatus of virtual resource data, and a specific implementation process thereof is described in the processing method embodiment of virtual resource data, and is not described herein again.
It should be noted that, for the method for processing virtual resource data described in the present invention, it can be understood by a person skilled in the art that all or part of the process of implementing the method for processing virtual resource data described in the embodiment of the present invention can be completed by controlling related hardware through a computer program, where the computer program can be stored in a computer readable storage medium, such as a memory of a terminal, and executed by at least one processor in the terminal, and the process of executing the process of the embodiment of the method for processing virtual resource data can be included. The storage medium may be a magnetic disk, an optical disk, a Read Only Memory (ROM), a Random Access Memory (RAM), or the like.
In the processing apparatus of virtual resource data according to the embodiment of the present invention, each functional module may be integrated in one processing chip, or each module may exist alone physically, or two or more modules are integrated in one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium, such as a read-only memory, a magnetic or optical disk, or the like.
The foregoing describes in detail a method and an apparatus for processing virtual resource data according to an embodiment of the present invention, and a specific example is applied in the description to explain the principle and the implementation of the present invention, and the description of the foregoing embodiment is only used to help understand the method and the core idea of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (14)
1. A method for processing virtual resource data is characterized by comprising the following steps:
before sending a transfer request of virtual resource data, sending user information so that a server performs processing according to the user information to generate a first challenge code, wherein the processing comprises: the server generates a corresponding second challenge code according to the user information, acquires a public key of a client certificate indicated by the user information, and encrypts the second challenge code by using the public key of the client certificate to generate a first challenge code, wherein the second challenge code carries a corresponding challenge code plaintext;
when virtual resource transfer is needed, sending a transfer request of virtual resource data, wherein the transfer request carries field information related to the request;
receiving a first challenge code preset by the server returned by the server when the transfer request is legal; the first challenge code is generated after the server encrypts a second challenge code corresponding to the user information by using a public key of a client certificate indicated by the user information after receiving the user information and before receiving the transfer request;
obtaining a private key of a client certificate, and decrypting the first challenge code by using the private key of the client certificate;
generating a first digital signature according to the decrypted first challenge code and the field information;
and when the first digital signature is determined to be consistent with a second digital signature, indicating that the virtual resource transfer is allowed, wherein the second digital signature is a digital signature generated by the server according to the second challenge code and the field information.
2. The method for processing virtual resource data according to claim 1, wherein after generating the first digital signature according to the decrypted first challenge code and the field information, the method further includes:
sending the first digital signature and the field information to a server;
receiving a comparison result sent by the server, wherein the comparison result is obtained by the server generating a second digital signature according to the challenge code plaintext and the field information and comparing the first digital signature with the second digital signature;
when the first digital signature is determined to be consistent with the second digital signature, indicating that the virtual resource transfer is allowed, including: indicating that the virtual resource transfer is allowed when the first digital signature is determined to be consistent with the second digital signature according to the comparison result.
3. The method for processing virtual resource data according to claim 1, wherein the generating a first digital signature according to the decrypted first challenge code and the field information includes:
and generating a first digital signature by using a one-way hash algorithm according to the decrypted first challenge code and the order number field in the field information.
4. A method for processing virtual resource data is characterized by comprising the following steps:
before a virtual resource data transfer request sent by a client is received, user information sent by the client is received, a corresponding second challenge code is generated according to the user information, a public key of a client certificate indicated by the user information is obtained, the public key of the client certificate is utilized to encrypt the second challenge code, and a first challenge code is generated, wherein the second challenge code carries a corresponding challenge code plaintext;
receiving a transfer request of virtual resource data sent by the client when virtual resource transfer is needed, wherein the transfer request carries field information related to the request;
when the transfer request is determined to be legal, sending a preset first challenge code to the client, wherein the first challenge code is generated after the server encrypts a second challenge code corresponding to the user information by using a public key of a client certificate indicated by the user information after receiving the user information and before receiving the transfer request;
receiving a first digital signature sent by a client, wherein the first digital signature is generated by the client by decrypting the first challenge code by using a private key of a client certificate and according to the decrypted first challenge code and the field information;
and when the first digital signature is determined to be consistent with a second digital signature, indicating that the virtual resource transfer is allowed, wherein the second digital signature is a digital signature generated by the server according to the second challenge code and the field information.
5. The method for processing virtual resource data according to claim 4, wherein when it is determined that the first digital signature is consistent with the second digital signature, before indicating that the virtual resource transfer is allowed, the method further comprises:
receiving the first digital signature and the field information sent by the client;
generating a second digital signature by using the challenge code plaintext and the field information, and comparing the first digital signature with the second digital signature to obtain a comparison result;
and sending the comparison result to the client.
6. An apparatus for processing virtual resource data, comprising:
a first sending module, configured to send user information before sending a transfer request of virtual resource data, so that a server performs processing according to the user information to generate a first challenge code, where the processing includes: the server generates a corresponding second challenge code according to the user information, acquires a public key of a client certificate indicated by the user information, and encrypts the second challenge code by using the public key of the client certificate to generate a first challenge code, wherein the second challenge code carries a corresponding challenge code plaintext; the virtual resource data transfer method is also used for sending a transfer request of virtual resource data when the virtual resource transfer is needed, wherein the transfer request carries field information related to the request;
a first obtaining module, configured to receive a first challenge code preset by the server and returned by the server when the transfer request is legal, where the first challenge code is generated after the server receives the user information and before the server receives the transfer request, and a second challenge code corresponding to the user information is encrypted by using a public key of a client certificate indicated by the user information;
the decryption module is used for acquiring a private key of the client certificate and decrypting the first challenge code by using the private key of the client certificate;
the first generation module is used for generating a first digital signature according to the decrypted first challenge code and the field information;
and the first indicating module is used for indicating that the virtual resource transfer is allowed when the first digital signature is determined to be consistent with a second digital signature, and the second digital signature is a digital signature generated by the server according to the second challenge code and the field information.
7. The apparatus for processing virtual resource data according to claim 6, wherein said apparatus further comprises:
the second sending module is used for sending the first digital signature and the field information to a server;
the first receiving module is used for receiving a comparison result sent by the server, the comparison result is obtained by the server according to a challenge code plaintext carried by a second challenge code and the field information and comparing the first digital signature with the second digital signature, and the second challenge code is generated by the server according to user information sent by a client;
the first indication module is specifically configured to: indicating that the virtual resource transfer is allowed when the first digital signature is determined to be consistent with the second digital signature according to the comparison result.
8. The apparatus for processing virtual resource data according to claim 6, wherein the first generating module is specifically configured to: and generating a first digital signature by using a one-way hash algorithm according to the decrypted first challenge code and the order number field in the field information.
9. An apparatus for processing virtual resource data, comprising:
the fourth receiving module is used for receiving the user information sent by the client before receiving the transfer request of the virtual resource data sent by the client;
a second generating module, configured to generate a corresponding second challenge code according to the user information, where the second challenge code carries a corresponding challenge code plaintext;
the second acquisition module is used for acquiring the public key of the user client certificate indicated by the user information;
the encryption storage module is used for encrypting the second challenge code by using the public key of the client certificate to generate a first challenge code and storing the plaintext of the challenge code;
a second receiving module, configured to receive a transfer request of virtual resource data sent by the client when virtual resource transfer needs to be performed, where the transfer request carries field information related to the request;
a third sending module, configured to send a preset first challenge code to the client when it is determined that the transfer request is legal, where the first challenge code is generated after the server receives the user information and before the server receives the transfer request and encrypts a second challenge code corresponding to the user information by using a public key of a client certificate indicated by the user information;
the third receiving module is used for receiving a first digital signature sent by a client, wherein the first digital signature is generated by the client by decrypting the first challenge code by using a private key of a client certificate and according to the decrypted first challenge code and the field information;
and the second indicating module is used for indicating that the virtual resource transfer is allowed when the first digital signature is determined to be consistent with a second digital signature, and the second digital signature is a digital signature generated by the server according to the second challenge code and the field information.
10. The apparatus for processing virtual resource data according to claim 9, wherein said apparatus further comprises:
a fifth receiving module, configured to receive the first digital signature and the field information sent by the client;
a third generating module, configured to generate a second digital signature using the challenge code plaintext and the field information;
the comparison module is used for comparing the first digital signature with the second digital signature to obtain a comparison result;
and the fourth sending module is used for sending the comparison result to the client.
11. A system for processing virtual resource data, comprising a client and a server, wherein the client is the processing apparatus for virtual resource data according to any one of claims 6 to 8, and the server is the processing apparatus for virtual resource data according to any one of claims 9 to 10.
12. A terminal, comprising a memory and a processor, the memory having stored thereon a computer program that, when executed by the processor, causes the processor to perform the steps of the method according to any one of claims 1 to 3.
13. A server, comprising a memory and a processor, the memory having stored thereon a computer program that, when executed by the processor, causes the processor to perform the steps of the method of any one of claims 4 to 5.
14. A computer-readable storage medium, in which a computer program is stored which, when run on a computer, causes the computer to carry out the steps of the method according to any one of claims 1 to 5.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510455785.6A CN106411520B (en) | 2015-07-29 | 2015-07-29 | Method, device and system for processing virtual resource data |
PCT/CN2016/081565 WO2017016272A1 (en) | 2015-07-29 | 2016-05-10 | Method, apparatus and system for processing virtual resource data |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510455785.6A CN106411520B (en) | 2015-07-29 | 2015-07-29 | Method, device and system for processing virtual resource data |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106411520A CN106411520A (en) | 2017-02-15 |
CN106411520B true CN106411520B (en) | 2020-08-04 |
Family
ID=57884144
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510455785.6A Active CN106411520B (en) | 2015-07-29 | 2015-07-29 | Method, device and system for processing virtual resource data |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106411520B (en) |
WO (1) | WO2017016272A1 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108596581B (en) * | 2017-12-04 | 2020-08-18 | 阿里巴巴集团控股有限公司 | Verification method and device for resource transfer and electronic payment verification method and device |
CN111213147B (en) | 2019-07-02 | 2023-10-13 | 创新先进技术有限公司 | Systems and methods for blockchain-based cross-entity authentication |
CN116910726A (en) | 2019-07-02 | 2023-10-20 | 创新先进技术有限公司 | System and method for mapping a de-centralized identity to a real entity |
CN113011945A (en) * | 2021-03-16 | 2021-06-22 | 深圳市微创云启科技有限公司 | Order number generation method and device, terminal equipment and storage medium |
CN114006705B (en) * | 2021-12-28 | 2022-03-18 | 深圳市名竹科技有限公司 | Digital signature processing method and device, computer equipment and storage medium |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
ITRM20030100A1 (en) * | 2003-03-06 | 2004-09-07 | Telecom Italia Mobile Spa | TECHNIQUE OF MULTIPLE ACCESS TO THE NETWORK BY USER TERMINAL INTERCONNECTED TO A LAN AND RELATED REFERENCE ARCHITECTURE. |
CN1274105C (en) * | 2003-06-12 | 2006-09-06 | 上海格尔软件股份有限公司 | Dynamic password authentication method based on digital certificate implement |
CN1859097B (en) * | 2006-01-19 | 2010-08-04 | 华为技术有限公司 | Verifying method and system based on general weight discrimination framework |
CN101083556B (en) * | 2007-07-02 | 2010-04-14 | 蔡水平 | Region based layered wireless information publishing, searching and communicating application system |
CN101222333B (en) * | 2007-12-24 | 2010-11-10 | 北京握奇数据系统有限公司 | Data transaction processing method and apparatus |
US20140359034A1 (en) * | 2013-05-31 | 2014-12-04 | David A. Hernandez | Methods and Systems for Automatically Making Acts of Advocacy Based on Content in Electronic Information Streams |
CN103532719B (en) * | 2013-10-22 | 2017-01-18 | 天地融科技股份有限公司 | Dynamic password generation method, dynamic password generation system, as well as processing method and processing system of transaction request |
CN104320261B (en) * | 2014-11-05 | 2018-06-15 | 北京大唐智能卡技术有限公司 | Identity authentication method, financial smart card and terminal are realized on financial smart card |
-
2015
- 2015-07-29 CN CN201510455785.6A patent/CN106411520B/en active Active
-
2016
- 2016-05-10 WO PCT/CN2016/081565 patent/WO2017016272A1/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
CN106411520A (en) | 2017-02-15 |
WO2017016272A1 (en) | 2017-02-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111130803B (en) | Method, system and device for digital signature | |
KR101904177B1 (en) | Data processing method and apparatus | |
US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
CN108566381A (en) | A kind of security upgrading method, device, server, equipment and medium | |
CN104079581B (en) | Identity identifying method and equipment | |
WO2017020452A1 (en) | Authentication method and authentication system | |
CN106411520B (en) | Method, device and system for processing virtual resource data | |
CN204360381U (en) | mobile device | |
CN105634737B (en) | Data transmission method, terminal and system | |
TWI636373B (en) | Method and device for authorizing between devices | |
CN110690956B (en) | Bidirectional authentication method and system, server and terminal | |
CN111131300B (en) | Communication method, terminal and server | |
CN112055019B (en) | Method for establishing communication channel and user terminal | |
CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
US20230412373A1 (en) | Accessory assisted account recovery | |
JP5827724B2 (en) | Method and apparatus for entering data | |
WO2024139616A1 (en) | Signature authentication method and apparatus | |
CN111193704B (en) | HTTP communication method, device and readable storage medium | |
CN110838919B (en) | Communication method, storage method, operation method and device | |
WO2018227471A1 (en) | Secure processing method and apparatus for biometric feature data, sensor, and terminal device | |
CN110414269B (en) | Processing method, related device, storage medium and system of application installation package | |
JP2003234734A (en) | Mutual authentication method, server device, client device, mutual authentication program and storage medium stored with mutual authentication program | |
Reimair et al. | MoCrySIL-Carry your Cryptographic keys in your pocket | |
CN116528230A (en) | Verification code processing method, mobile terminal and trusted service system | |
CN112150151B (en) | Secure payment method, apparatus, electronic device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |