CN119918092A - Authorization verification method, system, device, computer equipment and storage medium - Google Patents
Authorization verification method, system, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN119918092A CN119918092A CN202510402483.6A CN202510402483A CN119918092A CN 119918092 A CN119918092 A CN 119918092A CN 202510402483 A CN202510402483 A CN 202510402483A CN 119918092 A CN119918092 A CN 119918092A
- Authority
- CN
- China
- Prior art keywords
- authorization
- metadata
- target
- verification
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of data access control, and discloses an authorization verification method, an authorization verification system, an authorization verification device, computer equipment and a storage medium. Firstly, under the condition that a target operation executed for target data is received, inquiring an authorization operation certificate based on a target metadata authorization service item corresponding to the target operation, and verifying whether a valid authorization record exists. Then, under the condition that the authorization operation credential is queried to have a target metadata operation authorization item matched with the target metadata authorization service item, performing authorization verification based on the authorization operation credential and a target metadata authorization operation verification key corresponding to the target metadata authorization service item, and obtaining an authorization verification result, wherein the authorization verification result indicates whether the operation request is approved. And finally, under the condition that the authorization verification result indicates that the authorization verification is passed, allowing operation on the target data based on the target operation, effectively managing fine granularity operation authorization control of the data, and ensuring control of data access and operation authority.
Description
Technical Field
The present invention relates to the field of data access control technologies, and in particular, to an authorization verification method, system, device, computer equipment, and storage medium.
Background
The access control is used as a basic element in the security field, and is mainly used for definitely allowing a specific main body to access corresponding data, applications and resources under what conditions.
In the related art, a role-based access control method gives or limits system access rights according to role positioning of individuals in an organization architecture. However, the role-based access control method has a limitation in precisely controlling each operation of each metadata item.
Disclosure of Invention
The embodiments of the present specification aim to solve at least one of the technical problems in the related art to some extent. For this reason, the embodiments of the present specification provide an authorization verification method, system, apparatus, computer device, and storage medium.
The embodiment of the specification provides an authorization verification method, which comprises the following steps:
Under the condition that a target operation executed for target data is received, inquiring an authorization operation certificate based on a target metadata authorization service item corresponding to the target operation;
Under the condition that the authorization operation credential is queried to have a target metadata operation authorization item matched with the target metadata authorization service item, performing authorization verification based on the authorization operation credential and a target metadata authorization operation verification key corresponding to the target metadata authorization service item to obtain an authorization verification result;
In the case where the authorization verification result indicates that authorization verification is passed, the operation on the target data based on the target operation is allowed.
In one embodiment, the authorization operation credential further includes a hash identifier and an encrypted identity, and the performing authorization verification based on the authorization operation credential and a target metadata authorization operation verification key corresponding to the target metadata authorization service item, to obtain an authorization verification result includes:
Determining information to be verified based on the target metadata operation verification key and the target metadata operation authorization item;
determining an identity to be verified based on the encrypted identity and the information to be verified;
determining a hash identification to be verified based on the identity to be verified and the random parameter;
And comparing the hash mark to be verified with the hash mark to obtain an authorization verification result.
In one embodiment, the comparing the hash identifier to be verified with the hash identifier to obtain the authorization verification result includes:
obtaining an authorization verification result indicating that authorization verification passes under the condition that the hash identifier to be verified is equal to the hash identifier;
And under the condition that the hash mark to be verified is not equal to the hash mark, obtaining the authorization verification result which indicates that authorization verification is not passed.
In one embodiment, before performing the target operation on the target data, the method further comprises:
receiving a metadata authorization service item which is corresponding to the user-operable metadata and allows data operation to be executed and determining a random parameter under the condition of receiving user authentication operation;
The authorization operation credential is generated based on the user unique identification, the metadata authorization service, the random parameters, and initialization data.
In one embodiment, the initialization data is determined by:
Determining a privacy parameter and a characteristic value corresponding to each applicable metadata authorization service item of each metadata based on the metadata and the metadata authorization service item applicable to the metadata;
Determining a non-private parameter and a metadata authorization operation verification key corresponding to each applicable metadata authorization service item of each metadata based on the private parameter and the corresponding characteristic value of each applicable metadata authorization service item of each metadata;
And determining the initialization data based on the private parameters, the characteristic values corresponding to each applicable metadata authorization service item of each metadata, the non-private parameters and the metadata authorization operation verification key corresponding to each applicable metadata authorization service item of each metadata.
In one embodiment, the authorization operation credential further includes an authorization access frequency, and the allowing the operation on the target data based on the target operation if the authorization verification result indicates that authorization verification is passed includes:
And in the case that the authorization verification result indicates that authorization verification is passed, allowing the operation on the target data based on the target operation with the authorization access frequency as a constraint.
The present description embodiment provides an authorization verification system including an authorized access control center and a key generation center, the authorization verification system implementing the steps of the method of any one of the above.
The present specification provides an authorization verification apparatus, the apparatus including:
The authorization operation credential inquiry module is used for inquiring the authorization operation credential based on a target metadata authorization service item corresponding to target operation under the condition that the target operation executed for target data is received;
The target operation authorization verification module is used for carrying out authorization verification based on the authorization operation credential and a target metadata authorization operation verification key corresponding to the target metadata authorization service item under the condition that the authorization operation credential is queried to have the target metadata operation authorization item matched with the target metadata authorization service item, so as to obtain an authorization verification result;
and the authority authorization control module is used for allowing the target metadata to be operated based on the target operation in the case that the authorization verification result indicates that the authorization verification is passed.
The present description provides a computer device comprising a memory and one or more processors communicatively coupled to the memory, the memory having stored therein instructions executable by the one or more processors to cause the one or more processors to implement the steps of the method of any of the above embodiments.
The present description provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the method according to any of the above embodiments.
The present description provides a computer program product comprising instructions which, when executed by a processor of a computer device, enable the computer device to perform the steps of the method of any one of the embodiments described above.
In the above-described embodiments, first, when a target operation performed on target data is received, a service item is authorized based on target metadata corresponding to the target operation, and an authorization operation credential is queried to verify whether a valid authorization record exists. Then, under the condition that the authorization operation credential is queried to have a target metadata operation authorization item matched with the target metadata authorization service item, performing authorization verification based on the authorization operation credential and a target metadata authorization operation verification key corresponding to the target metadata authorization service item, and obtaining an authorization verification result, wherein the authorization verification result indicates whether the operation request is authorized legally. Finally, in the case where the result of the authorization verification indicates that the authorization verification is passed, the operation on the target data based on the target operation is allowed. By the mechanism, the operation can be executed only when the target operation is matched with the corresponding metadata operation authorization item and verification passes, so that fine granularity operation authorization control of the data is effectively managed, strict control of data access and operation authority is ensured, and potential safety risk is reduced.
Drawings
Fig. 1 is a schematic flow chart of an authorization verification method according to an embodiment of the present disclosure;
FIG. 2 is a schematic flow chart of obtaining authorization verification results according to an embodiment of the present disclosure;
FIG. 3 is a schematic flow chart of generating authorization operation credentials according to an embodiment of the present disclosure;
FIG. 4 is a schematic flow chart of determining initialization data according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of an authorization verification device according to an embodiment of the present disclosure;
fig. 6 is an internal structural diagram of a computer device according to an embodiment of the present disclosure.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative and intended to explain the present invention and should not be construed as limiting the invention.
Access control is a basic element in the field of information security, and refers to a method and an operating mechanism for authorizing and controlling a visitor to a resource object. A visitor, also called a host, is typically a user, process, or application, and a resource object, or object, i.e., an object being accessed, may include files, application services, data, and the like. The core goal of access control is to ensure that only authorized visitors can access the protected resources, while unauthorized visitors cannot.
It should be noted that Authorization (Authorization) is a manner in which a visitor can access a resource object, such as reading, writing, deleting, adding a file, or receiving and sending an email service. In the field of information security, authorization refers to the authority granted to a specific principal (executor) by a resource owner to perform a specific operation on a resource object, and the scope and operation mode of the authorization are determined by the resource owner. The access control mechanism is then used to monitor and limit the behavior of the visitor and to make corresponding decisions upon receipt of an access request, such as refusing access, authorizing permission or prohibiting certain operations, etc.
There are typically four main access control models, each with its unique way to manage access to sensitive information:
1. custom access control (DAC)
In the DAC model, each object in the system has an owner, and the owner grants access rights to other users according to own judgment and requirements. The DAC provides a flexible control mode, so that the authority of resource access can be adjusted according to specific situations.
2. Forced access control (MAC)
In the MAC model, access rights are not determined by the owner of the resource, but controlled by a central authority according to a predetermined security policy. The user can access certain resources only after having obtained an audit and approval. MACs are commonly used in environments with extremely high information security requirements, such as governments, military, etc., where rights management is relatively strict and uniform, often relying on different security levels and classifications.
3. Role-based access control (RBAC)
RBACs grant access rights depending on the role of the user in the organization. Each role is associated with a particular right, and the user obtains rights to access the resource according to its role. RBACs typically manage access to resources such as database tables, columns, and cells, and are tightly coupled with Access Control Lists (ACLs).
4. Attribute-based access control (ABAC)
ABAC relies on various attributes of users, resources, operations, and environments to decide whether to grant access. ABAC, unlike RBAC, not only depends on the role of the user, but also considers more dimensional properties.
However, the above access control model still has certain limitations in precisely controlling metadata operations. Particularly when refinement to each operating level is required, the more accurate access requirements cannot be met.
Because of the huge amount of data, if different management policies are set for each data field, the management workload will far exceed the storage data itself. Metadata management may provide a solution.
Metadata management is one of the core links in the field of big data, and not only involves description and organization of the data itself, but also takes on the tasks of tracking data changes, ensuring data quality and improving data availability. Metadata (Metadata) is descriptive information of data, which is essentially "data" about data, i.e., an abstract description of the attributes, structure, and associated information of the data. Metadata can be understood as the smallest unit of data. Through metadata, elements of data (e.g., name, size, data type, etc.), structures (e.g., fields, columns of data, etc.), and their associated information (e.g., location, owner, etc.) can be understood and managed.
Illustratively, the metadata in the library is similar to a book catalog. The library manages the books through the book catalogue, and the catalogue contains information such as names, numbers, authors, topics, brief introduction, placement positions and the like of the books, so that a book manager is helped to efficiently manage and quickly search the books. Metadata functions in data management like library book directories, which helps data administrators manage and query data. Metadata runs through the whole process of data flow of a big data platform, and mainly comprises data source metadata, data processing metadata, data warehouse or data subject database metadata, data application layer metadata and data interface service metadata.
According to different application fields and functions, metadata can be divided into three main categories, namely business metadata, technical metadata and management metadata.
Business metadata, business meaning, business rules, etc. describing the data. The definition of the service metadata is helpful for service personnel to understand the actual application scene of the data, and the usability of the data is improved.
Technical metadata, namely describing the structure, storage mode, transmission rule and the like of the data, and facilitating the recognition, storage, transmission and exchange of the data by a computer or a database. The technical metadata provides the developer with detailed information about the data structure and storage, supporting application development and system integration. Meanwhile, technical metadata can also help business personnel to quickly find the required data.
Management metadata-management attributes related to data including data owners, data governance responsibilities, data security levels, etc. By clearly managing the metadata, responsibility people and departments for clearly managing the data can be helped, and the security management of the data is guaranteed.
Metadata opens up data, data warehouses, and data applications, recording the overall process of data from production to consumption. Metadata can provide detailed information about the data asset, helping users discover, identify, understand, organize, retrieve, and effectively use the data.
Attribute-Based Encryption (ABE) can be considered an extension of Identity-Based Encryption (IBE). In an identity-based encryption system, the identity of a user is represented by a unique identifier. And based on attribute encryption, the user identity is represented by adopting an attribute set, and the representation mode of the user identity is expanded from a single identifier to a plurality of attributes. In addition, the attribute encryption also embeds the access control structure into the attribute set, so that the public key cryptosystem has access control capability aiming at specific attributes and attribute sets. Among them, attribute-Based Encryption (ABE) is an Encryption model that implements Encryption and decryption operations by associating ciphertext and keys with a user's Attribute set and access control policies. Unlike public key encryption, ABE ensures that ciphertext can be successfully decrypted if and only if the user's set of attributes meets a particular access control policy.
Based on the above analysis, the embodiments of the present disclosure provide an authorization verification method, first, in a case of receiving a target operation performed on target data, based on a target metadata authorization service item corresponding to the target operation, query an authorization operation credential, and verify whether a valid authorization record exists. Then, under the condition that the authorization operation credential is queried to have a target metadata operation authorization item matched with the target metadata authorization service item, performing authorization verification based on the authorization operation credential and a target metadata authorization operation verification key corresponding to the target metadata authorization service item, and obtaining an authorization verification result, wherein the authorization verification result indicates whether the operation request is authorized legally. Finally, in the case where the result of the authorization verification indicates that the authorization verification is passed, the operation on the target data based on the target operation is allowed. By the mechanism, the operation can be executed only when the target operation is matched with the corresponding metadata operation authorization item and verification passes, so that fine granularity operation authorization control of the data is effectively managed, strict control of data access and operation authority is ensured, and potential safety risk is reduced.
The embodiment of the specification provides an embodiment of an authorization verification method, which selects key data attribute and category information in metadata as key metadata, and combines an operation set (including basic operations such as adding, deleting, modifying and checking, and processing processes such as data processing, data desensitizing, data watermarking and data circulation) on data to form fine-grained data operation access authorization control. Specifically, independent access authorization control can be set for each operation (such as adding, deleting, modifying, checking, etc.) of each key metadata, and centralized authorization management can also be performed for the combined operation of a plurality of key metadata. Each critical operation may be equipped with a specific authorization verification key, thereby enabling sophisticated data authorization management.
In order to ensure the security of the system, the authorization control system introduces necessary cryptography technology, which not only realizes fine-granularity authorization access control, but also ensures the security and effectiveness of the authorization management system. In addition, the result of each authorized access is recorded and output to an auditing system or a blockchain certification platform, and the process ensures the non-tamper property and traceability of the data operation, thereby further improving the transparency and the security of the data operation.
The present disclosure provides an authorization verification method, referring to fig. 1, which may include the following steps:
S110, under the condition that the target operation executed for the target data is received, inquiring the authorization operation certificate based on the target metadata authorization service item corresponding to the target operation.
And S120, under the condition that the authorization operation credential is queried to have a target metadata operation authorization item matched with the target metadata authorization service item, performing authorization verification based on the authorization operation credential and a target metadata authorization operation verification key corresponding to the target metadata authorization service item, and obtaining an authorization verification result.
And S130, allowing the operation on the target data based on the target operation in the case that the authorization verification result indicates that the authorization verification is passed.
Specifically, the user is bound to the authorization operation credentials. When receiving the target operation executed for the target data, the authorized access control center determines metadata corresponding to the target data according to the target data of the executed target operation, and then queries from the authorization operation credentials existing on the user side according to the target metadata authorization service item corresponding to the target operation of the metadata so as to judge whether metadata operation authorization items matched with the target metadata authorization service item exist. If the query result indicates that the metadata operation authorization item matched with the target authorization service item exists in the authorization operation credential, the metadata operation authorization item is used as the target metadata operation authorization item, which indicates that the user has corresponding authority for executing the target operation on the target data. However, the authority has security risk, such as illegal authorization at the user side, so that in case of inquiring the operation authorization item of the target metadata, further verification of validity of the operation authorization is required. And carrying out authorization verification based on the authorization operation certificate and a target metadata authorization operation verification key corresponding to the target metadata authorization service item so as to judge whether the operation request is authorized legally or not, thereby obtaining an authorization verification result. And under the condition that the authorization verification result indicates that the authorization verification is passed, the operation authority limit is released, and the corresponding operation behavior is allowed to be executed on the target data according to the specific instruction and the requirement of the target operation, so that the whole operation process is ensured to be carried out safely and orderly in a legal authorized frame, the safety and the integrity of the system data are effectively ensured, and the potential damage or the leakage risk of the data caused by unauthorized illegal operation is prevented.
Conversely, if the authorization item of the target metadata operation matching the authorization service item of the target metadata cannot be queried in the authorization operation credentials, the user does not have corresponding authority to execute the target operation on the target data, and execution of the target operation on the target data is forbidden.
It should be noted that, when the result of authorization verification indicates that authorization verification is passed, the user may record the operation on the target data according to the target operation to the log, or interface with the audit system, so as to implement tracing and inspection of the operation behavior. Moreover, when the target operation is executed for the target data to cause new metadata generation, such as adding a new library table, the new metadata is updated in time, and corresponding metadata authorization operation verification keys are distributed for the possibly occurring new metadata and metadata authorization service items, so that the authorization management of the whole system is always in an effective and perfect state.
In the above embodiment, first, when a target operation performed on target data is received, the authorization operation credential is queried based on a target metadata authorization service item corresponding to the target operation, and whether a valid authorization record exists is verified. Then, under the condition that the authorization operation credential is queried to have a target metadata operation authorization item matched with the target metadata authorization service item, performing authorization verification based on the authorization operation credential and a target metadata authorization operation verification key corresponding to the target metadata authorization service item, and obtaining an authorization verification result, wherein the authorization verification result indicates whether the operation request is authorized legally. Finally, in the case where the result of the authorization verification indicates that the authorization verification is passed, the operation on the target data based on the target operation is allowed. By the mechanism, the operation can be executed only when the target operation is matched with the corresponding metadata operation authorization item and verification passes, so that fine granularity operation authorization control of the data is effectively managed, strict control of data access and operation authority is ensured, and potential safety risk is reduced.
In some embodiments, referring to fig. 2, the authorization operation credential further includes a hash identifier and an encrypted identity, and performs authorization verification based on the authorization operation credential and a target metadata authorization operation verification key corresponding to the target metadata authorization service item, to obtain an authorization verification result, and may include the following steps:
s210, determining information to be verified based on the target metadata authorization operation verification key and the target metadata operation authorization item.
S220, determining the identity to be verified based on the encrypted identity and the information to be verified.
S230, determining the hash identification to be verified based on the identity to be verified and the random parameters.
S240, comparing the hash mark to be verified with the hash mark to obtain an authorization verification result.
Specifically, the authorized access control center has a metadata authorization operation verification key corresponding to each applicable metadata authorization service item of each metadata. Therefore, the authorized access control center determines the metadata corresponding to the target data according to the target data of the target operation, and then searches and determines the target metadata authorized operation verification key corresponding to the metadata according to the target metadata authorized service item corresponding to the target operation of the metadata. Then, the authorized access control center uses the target metadata to authorize the operation verification key and the target metadata operation authorization item to execute decryption operation according to the established mathematical relationship and encryption algorithm principle, thereby obtaining the information to be verified. And then, dividing the encrypted identity with the obtained information to be verified, and calculating to obtain the identity to be verified. Then, taking the identity to be verified and a preset random parameter as inputs, and carrying out hash operation through a hash function to generate a hash mark to be verified. Since the hash identifier to be verified is calculated based on the information provided by the user side, and the information provided by the user side has the possibility of being counterfeited, the calculated hash identifier to be verified is compared with the hash identifier provided by the trusted source. And according to whether the target operation and the target operation are consistent, a final authorization verification result is obtained to judge whether the target operation passes authorization verification or not and whether the target operation can be executed or not.
Illustratively, the target metadata authorizes the service itemAuthentication key corresponding to targeted metadata authorization operation. Verifying keys based on target metadata authorization operationsAnd a target metadata operation authorization itemCalculating to obtain information to be verified==, wherein,Is a random number. Will encrypt the identityAnd the obtained information to be verifiedPerforming division operation to obtain identity to be verified. Next, the identity to be verifiedWith preset random parametersAs input, hash operation is carried out through a specific one-way hash function, and a hash mark to be verified is generated。
In the above embodiment, the information to be verified is determined based on the target metadata authorization operation verification key and the target metadata authorization operation item, the identity to be verified is determined based on the encrypted identity and the information to be verified, the hash identifier to be verified is determined based on the identity to be verified and the random parameter, the hash identifier to be verified is compared with the hash identifier, an authorization verification result is obtained, and the reliability of verification is improved.
In some embodiments, comparing the hash identifier to be verified with the hash identifier to obtain an authorization verification result may include obtaining an authorization verification result indicating that authorization verification passes when the hash identifier to be verified is equal to the hash identifier.
In some cases, in the authorization verification process, the hash identifier in the authorization operation credential is calculated according to legal and valid information, so that the authorization operation credential has reliability. The hash identification to be verified is calculated based on the information provided by the user side. Since the information provided by the user side is forged, tampered or invalid, the validity of the information provided by the user side needs to be judged.
Specifically, the authorized access control center compares the hash identifier to be verified with the hash identifier, and when the hash identifier to be verified is equal to the hash identifier, the content of the authorization information according to the hash identifier to be verified is identical and is not tampered, the target metadata operation authorization item in the authorization operation credential can be clearly proved to be generated through legal flow, and the content of the target metadata operation authorization item accords with the established authorization specification and has validity. Based on this, an authorization verification result indicating that the authorization verification passed can be obtained, thereby allowing the execution of the authorization operation corresponding thereto.
Illustratively, if the hash identification is to be verifiedHash identificationObtaining an authorization verification result indicating that the authorization verification passes.
In the embodiment, under the condition that the hash identifier to be verified is equal to the hash identifier, an authorization verification result indicating that authorization verification is passed is obtained, and the security of the system is improved.
In some embodiments, comparing the hash identifier to be verified with the hash identifier to obtain an authorization verification result may include obtaining an authorization verification result indicating that authorization verification is not passed if the hash identifier to be verified is not equal to the hash identifier.
Specifically, the authorized access control center compares the hash identifier to be verified with the hash identifier, and when the hash identifier to be verified is unequal to the hash identifier, the authorized information corresponding to the hash identifier to be verified and the hash identifier is indicated to have a difference, namely, the target metadata operation authorization item in the authorization operation credential is not generated by a legal authorization process, and the content of the target metadata operation authorization item does not accord with the preset authorization specification, so that the target metadata operation authorization item can be judged to be illegal. Based on this, an authorization verification result indicating that the authorization verification is not passed can be obtained, so that the execution of the authorization operation corresponding thereto is not allowed.
Illustratively, if the hash identification is to be verifiedHash identificationObtaining an authorization verification result indicating that the authorization verification passes.
In the embodiment, under the condition that the hash mark to be verified is not equal to the hash mark, the authorization verification result indicating that the authorization verification is not passed is obtained, the execution of illegal operation is effectively prevented, and the safety and the stability of the system are ensured.
In some embodiments, referring to fig. 3, before performing the target operation on the target data, the method may further include the steps of:
And S310, receiving a metadata authorization service item which is corresponding to the user unique identification and the user operable metadata and allows the data operation to be executed and determining a random parameter under the condition that the user authentication operation is received.
S320, generating authorization operation credentials based on the unique user identification, the metadata authorization service, the random parameters and the initialization data.
Specifically, each user corresponds to a unique identifier for explicitly confirming a specific identity of the user, and a metadata authorization service item corresponding to metadata operable by the user and allowing data operations to be performed defines a specific operation authority range which can be implemented by the user for the metadata, and identifies a type of data operations which can be implemented by the user on the metadata, such as reading, modifying, deleting and the like. After receiving a request for a user authentication operation, the key generation center first receives as input a metadata authorization service item for allowing data operations to be performed corresponding to the unique identification of the user and metadata operable by the user. Meanwhile, the key generation center can acquire data in a preset interval range in a random extraction mode, and the data are used as random parameters, so that the safety and reliability of a subsequent encryption process are enhanced. Then, hash operation is carried out by using the user unique identification and the random parameter as input elements and a hash function to generate a hash identification. The user unique identification, the random parameters and the initialization data are used as input contents of encryption operation, encryption processing is carried out through an encryption algorithm, and an encryption identity is generated. Based on the metadata authorization service item, the metadata operation authorization item corresponding to the metadata authorization service item is generated through a corresponding algorithm by utilizing random parameters and initialization data. Finally, the key generation center integrates the generated hash identification, the encryption identity and the metadata operation authorization item to form an authorization operation credential and sends the authorization operation credential to the user. In addition, the key generation center also sends the unique user identification and the random parameters to the authorized access control center. It should be noted that the random parameters are not fixed, and the random parameters are regenerated each time the user authentication operation is acquired. The random parameters may be plural or one. The value of the random parameter is only mastered by the key generation center and the authorized access control center, so that the user is effectively prevented from forging the authorized operation certificate by using the known parameter information.
Illustratively, taking the example of dynamically providing authorization operation credentials, assume that the user is uniquely identified asWherein the unique user identifier can be a character string or a number, and the access authority policy of the user can only complete one data operation aiming at one data, and the metadata authorization service item is the first oneThe item operation. At the position ofDomain extraction of random parametersAnd random parameters. The authorization operation credential is calculated by the following formula:
Wherein, For the purpose of the hash identification,In order to encrypt the identity of the person,The authorization item is manipulated for the metadata,The service item is authorized for the metadata,、In order to initialize the data to be initialized,As a one-way function,Is a connector.
Assume that the user is uniquely identified asThe policy of the access authority of the user has a plurality of operation sets aiming at different metadata items, and the metadata authorization service items are the sets {1, 3, 7}. At the position ofDomain extraction of random parametersAnd random parameters. The authorization operation credential is calculated by the following formula:
It should be noted that, according to the access authority policy of the user, dynamically providing the authorization operation credential of the data operation for the user is a flexible and safe manner, which is suitable for the scenario that needs to perform fine-grained access control according to the user attribute, the operation environment and the resource attribute. Authorization operation credentials for data operations may also be provided statically. The static mode is suitable for a scene with fixed user identity and data operation and no change for a long time.
In the above embodiment, under the condition that the user authentication operation is received, the metadata authorization service item allowing the data operation to be executed corresponding to the metadata operable by the user is received and the random parameter is determined, and the authorization operation credential is generated based on the user unique identification, the metadata authorization service item, the random parameter and the initialization data, thereby improving the security.
In some embodiments, referring to fig. 4, the initialization data may be determined by:
s410, determining the privacy parameters and the characteristic values corresponding to each applicable metadata authorization service item of each metadata based on the metadata and the metadata authorization service item applicable to the metadata.
S420, determining a metadata authorization operation verification key corresponding to each applicable metadata authorization service item of the non-private parameter and each metadata based on the private parameter and the corresponding characteristic value of each applicable metadata authorization service item of each metadata.
S430, determining initialization data based on the privacy parameters, the characteristic values corresponding to each applicable metadata authorization service item of each metadata, the non-privacy parameters and the metadata authorization operation verification key corresponding to each applicable metadata authorization service item of each metadata.
The metadata authorization service item can be various data operation items for digitally representing metadata, and the data operation items not only can comprise adding, deleting, modifying and checking operations, but also can comprise data processing, data desensitizing, data watermarking, data circulation and the like.
Specifically, data attribute information, category information and the like are taken as metadata, data operation items which are allowed to be executed by each metadata are defined, and then the data operation items applicable to the metadata are represented in a digital mode, so that each applicable metadata authorization service item of each metadata is obtained. The key generation center maps based on metadata and metadata authorized service items applicable to the metadata, and determines a characteristic value corresponding to each applicable metadata authorized service item of each metadata so as to form fine-granularity data operation access control, and can accurately control different operation authorities of different metadata. The key generation center can acquire data in a random extraction mode in a preset interval range, and the data is used as a determined privacy parameter. Based on the determined privacy parameters, the corresponding characteristic values of each applicable metadata authorization service item of each metadata are combined, the independent metadata authorization operation verification key corresponding to each applicable metadata authorization service item of each metadata is further determined, and the uniqueness and independence of each metadata authorization operation verification key are ensured, so that the safety and accuracy of data operation are ensured. In addition, the non-private parameters are determined according to the private parameters and the corresponding characteristic values of each applicable metadata authorization service item of each metadata.
And integrating and determining the privacy parameters, the characteristic values corresponding to each applicable metadata authorization service item of each metadata, the non-privacy parameters and the metadata authorization operation verification keys corresponding to each applicable metadata authorization service item of each metadata as initialization data for subsequent data operation authorization and verification processes. It should be noted that the privacy parameters remain fixed after the determination.
In some embodiments, the metadata authorization operation verification key may be sent to an authorized access control center or may be distributed to a plurality of authorized management units, each of which is responsible for a different class of metadata. The method can realize the fine access authorization management of data operation aiming at each metadata or realize the flexible access authorization management of single data operation or multiple combined operations.
Illustratively, first, metadata is selected (assumingItems), all data operation item sets (assumedSeed operation). Since in practice part of the metadata is not suitable for all data manipulation, theoretically at most it can be formedThe matrix combination of the species corresponds to the relationship of these metadata to the data manipulation. A randomization algorithm may be employed for thisThe matrix is randomized and can also be directly input into a key generation center to be mapped into metadata authorization service items.
Will be subjected to randomization treatmentMatrix mapping toIn the domain, getInteger in the fieldAs a means ofCharacteristic values, andSatisfy the following requirementsWhereinEach applicable metadata authorization service item corresponding to each metadata, respectively. At the position ofDomain random decimation of an integerAs a privacy parameter.
Secondly, let theIs a prime number of one orderBilinear group of (C), orderIs thatIs a generator of (1). In addition, letRepresenting a bilinear map.
Then, according to the above settings and elements, calculate to obtain、、......、、As a non-privacy parameter.
The metadata authorization operation verification keys corresponding to each applicable metadata authorization service item of each metadata are respectively:、、...... 、。
In the above embodiment, the feature value corresponding to the privacy parameter and each applicable metadata authorization service item of each metadata is determined based on the metadata and the metadata authorization service item applicable to the metadata, the metadata authorization operation verification key corresponding to the non-privacy parameter and each applicable metadata authorization service item of each metadata is determined based on the feature value corresponding to the privacy parameter and each applicable metadata authorization service item of each metadata, and the initialization data is determined based on the feature value corresponding to the privacy parameter, each applicable metadata authorization service item of each metadata, the non-privacy parameter and each applicable metadata authorization operation verification key corresponding to each metadata authorization service item of each metadata, so that refined data operation authorization management is realized, and fine granularity operation authorization management of the data asset is effectively realized.
In some embodiments, the authorization operation credential further includes an authorization access frequency, allowing manipulation of the target data based on the target manipulation if the authorization verification result indicates that the authorization verification is passed, and may include allowing manipulation of the target data based on the target manipulation with the authorization access frequency as a constraint if the authorization verification result indicates that the authorization verification is passed.
Specifically, the authorization operation credential further includes an authorization access frequency. The main function of the authorized access frequency is to limit the number of target operations performed by a user on target data so as to realize fine authority control. And under the condition that the authorization verification result indicates that the authorization verification is passed, the authorization access frequency number implements a corresponding constraint control mechanism for the operation behavior of the user according to the specific preset rules and parameters. Each time the user operates on the target data based on the target operation, it is detected in real time whether the number of operations currently used has reached a threshold set by the authorized access frequency. As long as the accumulated operation times do not meet the limit of the authorized access frequency, the user can normally perform corresponding operation. However, when the number of times the user performs the target operation on the target data reaches the limit value specified by the authorized access frequency, the user will be automatically prohibited from continuing to operate on the target data based on the target operation. If the user still needs to execute the corresponding target operation on the target data, the authorization operation verification process needs to be restarted.
Illustratively, generating the authorization operation credential uniquely identified by the user as an ID is required inDomain random decimating of integers. If the authorized access frequency is 1, the authorized access frequency is #,,) By setting upThe method has the advantages that the number of times of allowing the operation on the target data based on the target operation is restrained, the mode is matched with the zero trust concept, namely, each operation needs to be subjected to independent authorization verification, so that the legality and the safety of each operation are ensured, the method is similar to a one-time-pad high-safety-level mechanism, unauthorized multiple access or operation can be effectively prevented, and the safety and the stability of data and a system are ensured.
In addition, the validity of the authorization operation credentials can be controlled by maintaining the use period, namely, constructing # -, a key of the authorization operation credentials,,) By setting upTo determine a validity period of the authorization credential during which a user may operate on target data based on target operations, once exceededThe set time range needs to be subjected to authorization operation verification again, so that the user operation authority is ensured to be managed and controlled in a refined manner in the time dimension, and the safety and reliability of the system are further enhanced.
When the authorized access frequency is 1, the authorized operation credential may be expressed as:
Wherein, As a one-way function,As a result of the random parameters,I.e. in the authorization vouchersSpecific values of (2).
In the above embodiment, when the result of the authorization verification indicates that the authorization verification is passed, the operation on the target data is allowed based on the target operation with the authorization access frequency as the constraint, and the security is improved by using the setting of the authorization access frequency.
The embodiment of the specification provides an authorization verification system, which comprises an authorized access control center and a key generation center, and the authorization verification system realizes the steps of the method of any one of the above.
Referring to fig. 5, the authorization verification apparatus 500 includes an authorization operation credential inquiry module 510, a target operation authorization verification module 520, and a rights authorization control module 530.
The authorization operation credential querying module 510 is configured to query, when receiving a target operation performed on target data, an authorization operation credential based on a target metadata authorization service item corresponding to the target operation;
The target operation authorization verification module 520 is configured to perform authorization verification based on the authorization operation credential and a target metadata authorization operation verification key corresponding to the target metadata authorization service item, to obtain an authorization verification result when it is queried that the authorization operation credential has a target metadata operation authorization item that matches the target metadata authorization service item;
And a permission authorization control module 530, configured to allow the operation on the target data based on the target operation, in a case where the result of authorization verification indicates that authorization verification passes.
For a specific description of the authorization verification apparatus, reference may be made to the description of the authorization verification method hereinabove, and the description thereof will not be repeated here.
In some embodiments, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 6. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement an authorization verification method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 6 is merely a block diagram of a portion of the structure associated with the aspects disclosed herein and is not limiting of the computer device to which the aspects disclosed herein apply, and in particular, the computer device may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In some embodiments, a computer device is provided, comprising a memory in which a computer program is stored, and a processor which, when executing the computer program, carries out the method steps of the above embodiments.
The present description embodiment provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method of any of the above embodiments.
An embodiment of the present specification provides a computer program product comprising instructions which, when executed by a processor of a computer device, enable the computer device to perform the steps of the method of any one of the embodiments described above.
It should be noted that the logic and/or steps represented in the flowcharts or otherwise described herein, for example, may be considered as a ordered listing of executable instructions for implementing logical functions, and may be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include an electrical connection (an electronic device) having one or more wires, a portable computer diskette (a magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium may even be paper or other suitable medium upon which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510402483.6A CN119918092A (en) | 2025-04-01 | 2025-04-01 | Authorization verification method, system, device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510402483.6A CN119918092A (en) | 2025-04-01 | 2025-04-01 | Authorization verification method, system, device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119918092A true CN119918092A (en) | 2025-05-02 |
Family
ID=95506043
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202510402483.6A Pending CN119918092A (en) | 2025-04-01 | 2025-04-01 | Authorization verification method, system, device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119918092A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7954139B1 (en) * | 2005-11-30 | 2011-05-31 | At&T Intellectual Property Ii, Lp | Arrangements for efficient authentication of service request messages |
| CN111245830A (en) * | 2020-01-10 | 2020-06-05 | 成都中科合迅科技有限公司 | Non-centralized user authentication and authorization method for asymmetric encryption |
| CN116305231A (en) * | 2022-11-23 | 2023-06-23 | 国家信息中心 | Authorization management method and device, electronic equipment and storage medium based on DID credential data flow |
| WO2023121671A1 (en) * | 2021-12-23 | 2023-06-29 | Eque Corporation | Systems configured for validation with a dynamic cryptographic code and methods thereof |
| CN117375856A (en) * | 2022-06-29 | 2024-01-09 | 腾讯科技(深圳)有限公司 | Authority control method and business processing method |
-
2025
- 2025-04-01 CN CN202510402483.6A patent/CN119918092A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7954139B1 (en) * | 2005-11-30 | 2011-05-31 | At&T Intellectual Property Ii, Lp | Arrangements for efficient authentication of service request messages |
| CN111245830A (en) * | 2020-01-10 | 2020-06-05 | 成都中科合迅科技有限公司 | Non-centralized user authentication and authorization method for asymmetric encryption |
| WO2023121671A1 (en) * | 2021-12-23 | 2023-06-29 | Eque Corporation | Systems configured for validation with a dynamic cryptographic code and methods thereof |
| CN117375856A (en) * | 2022-06-29 | 2024-01-09 | 腾讯科技(深圳)有限公司 | Authority control method and business processing method |
| CN116305231A (en) * | 2022-11-23 | 2023-06-23 | 国家信息中心 | Authorization management method and device, electronic equipment and storage medium based on DID credential data flow |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110352428B (en) | Delegating security policy management rights to a management account | |
| KR101009126B1 (en) | Digital certificate and digital certificate authentication method for authenticating corresponding component | |
| US9515832B2 (en) | Process authentication and resource permissions | |
| CN101107611B (en) | Private and controlled ownership sharing method, device and system | |
| CN100407174C (en) | Data protection device and data protection method | |
| KR101861401B1 (en) | Binding applications to device capabilities | |
| US9805350B2 (en) | System and method for providing access of digital contents to offline DRM users | |
| US10666647B2 (en) | Access to data stored in a cloud | |
| EP1376307A2 (en) | Trust model for a DRM system | |
| US20070226488A1 (en) | System and method for protecting digital files | |
| CN112887273B (en) | Key management method and related equipment | |
| KR20050119133A (en) | User identity privacy in authorization certificates | |
| CN109995791B (en) | A data authorization method and system | |
| US11480945B2 (en) | Production device for production of an object for user permitted to print pre-defined number of copies of the object including encrypted token, and decrypted by the production device for determining user access right | |
| AU2010267645A1 (en) | Method for remotely controlling and monitoring the data produced on desktop on desktop software | |
| US20190268341A1 (en) | Method, entity and system for managing access to data through a late dynamic binding of its associated metadata | |
| KR102569582B1 (en) | Method for Selective Disclosure of Attribute Information and Zero-Knowledge Proof Using Attribute-Based Encryption | |
| US20080127332A1 (en) | Information processing system, electronic authorization information issuing device, electronic information utilizing device, right issuing device, recording medium storing electronic authorization information issuing program, electronic information utilizing program and right issuing program, and information processing method | |
| CN109033882A (en) | A kind of safe dissemination method of retrospective big data and system | |
| KR101643677B1 (en) | Securing execution of computational resources | |
| US7966460B2 (en) | Information usage control system, information usage control device and method, and computer readable medium | |
| CN117614724B (en) | Industrial Internet access control method based on system fine granularity processing | |
| CN120105469A (en) | Data access method, device and electronic device based on cloud control platform | |
| CN119918092A (en) | Authorization verification method, system, device, computer equipment and storage medium | |
| CN115906017A (en) | A data resource access method, device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |