[go: up one dir, main page]

WO2014059604A1 - Method and device for secure access to resource - Google Patents

Method and device for secure access to resource Download PDF

Info

Publication number
WO2014059604A1
WO2014059604A1 PCT/CN2012/083035 CN2012083035W WO2014059604A1 WO 2014059604 A1 WO2014059604 A1 WO 2014059604A1 CN 2012083035 W CN2012083035 W CN 2012083035W WO 2014059604 A1 WO2014059604 A1 WO 2014059604A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource
user
resources
list
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2012/083035
Other languages
French (fr)
Chinese (zh)
Inventor
曹志源
戴明毅
张战兵
陈爱平
虞景和
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to PCT/CN2012/083035 priority Critical patent/WO2014059604A1/en
Priority to CN2012800017887A priority patent/CN103109510A/en
Publication of WO2014059604A1 publication Critical patent/WO2014059604A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of communication/information technology, and in particular, to a resource security access method and apparatus.
  • HTML 5 Hypertext Markup Language 5, Hypertext Markup Language 5th Edition
  • HTML 5 Hypertext Markup Language 5th Edition
  • a universal security technology for implementing secure access of a mobile terminal is a VPN (Virtual Private Network).
  • VPN Virtual Private Network
  • the existing VPN technology needs to obtain advanced access rights, and the operating system is required to perform authorization. Therefore, for different application manufacturers, compatibility development is required, which results in poor versatility of the VPN technology.
  • the VPN cannot perform fine access control, and the enterprise data is not protected after being downloaded to the local area through the VPN, and there is a large The risk of leaking.
  • an embodiment of the present invention provides a resource security access method, where the method includes:
  • the authorization result includes a list of accessible resources
  • the method further includes: acquiring a hardware key identifier;
  • the authorization result of the user is generated.
  • the authorization result further includes a resource usage policy
  • the acquiring the resources of the pre-stored resource or the server indicated by the access instruction includes:
  • the method further includes:
  • the resource of the server indicated by the access instruction is not acquired.
  • the method further includes:
  • the authorization result further includes user rights information, and the user rights information indicates whether the user is allowed to upload or download resources.
  • the method further includes:
  • the authorization result further includes resource security access level information, and the resource security access level information indicates a level of resources that the user is allowed to download.
  • the embodiment of the present invention further provides a resource security access device, where the device includes:
  • a local service module configured to obtain authentication information and a browser software summary of the user, and display the accessible resource list, so that the user inputs an access instruction according to the accessible resource list;
  • An authentication module configured to: if the authentication information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, Generating an authorization result of the user, where the authorization result includes a list of accessible resources;
  • a secure communication module configured to acquire resources of a pre-stored resource or server indicated by the access instruction.
  • the local service module is further configured to obtain a hardware key identifier
  • the authentication module is further configured to generate an authorization result of the user if the hardware key identifier matches a corresponding hardware key information pre-stored in the hardware key list.
  • the authorization result further includes a resource usage policy
  • the secure communication module is specifically configured to obtain, according to the resource usage policy, a pre-stored resource or a resource of the server indicated by the access instruction.
  • the security communication module is further configured to receive user input after a preset period, in combination with the second aspect or the first possible implementation manner or the second possible implementation manner.
  • the access instruction does not acquire the resource of the server indicated by the access instruction.
  • the authorization result further includes a user authority information.
  • the user rights information indicates whether the user is allowed to upload or download resources.
  • the authorization result in combination with the second aspect or the first possible implementation manner to the fourth possible implementation manner, the authorization result further includes resource security access level information, and the resource security access level information Indicates the level of resources that the user is allowed to download.
  • the embodiment of the present invention further provides a resource security accessor, where the resource security accessor includes:
  • a secure browser for obtaining authentication information and a browser software summary of the user, and displaying the accessible resource list, so that the user inputs an access instruction according to the accessible resource list, and acquiring the access a pre-stored resource or server resource indicated by the instruction;
  • a security gateway configured to: if the authentication information matches the corresponding user information pre-stored in the user trust list, the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, Generating an authorization result of the user, the authorization result including a list of accessible resources.
  • the secure browser is further configured to obtain a hardware key identifier
  • the security gateway is further configured to generate an authorization result of the user if the hardware key identifier matches the corresponding hardware key information pre-stored in the hardware key list.
  • the authorization result further includes a resource usage policy
  • the secure browser is specifically configured to acquire, according to the resource usage policy, a pre-stored resource or a resource of the server indicated by the access instruction.
  • the method and device for securely accessing resources obtained by the embodiment of the present invention obtains the user's identity verification information and the browser software summary, and if the identity verification information matches the corresponding user information pre-stored in the user trust list, the browser software abstract and The corresponding browser software summary information pre-stored in the browser trust list matches, and the user's authorization result is generated, wherein the authorization result includes a list of accessible resources, and displays a list of accessible resources, so that the user is accessible according to the Enter the access command in the resource list, And obtaining a pre-stored resource or a resource of the server indicated by the access instruction.
  • FIG. 1 is a schematic flowchart 1 of a resource security access method according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart 2 of a resource security access method according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a resource security access device according to an embodiment of the present invention
  • 4 is a schematic structural diagram of a resource security access device according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram 3 of a resource security access device according to an embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of a resource security accessor according to an embodiment of the present invention; .
  • the embodiment of the invention provides a resource security access method. As shown in FIG. 1, the method includes:
  • the resource security access device obtains the user's authentication information and the browser software summary.
  • the method for secure access of resources when the resource security access device is activated by the user, the resource security access device first Reading the built-in user's authentication page, the user needs to input the authentication information through the user's authentication page, insert the hardware key as needed, and if the hard key is inserted, the resource security access device automatically extracts the hardware key identifier.
  • the hardware key of the embodiment of the present invention may be a reliable high-speed small-sized storage device with a password verification function directly connected to a computer through a USB (Universal Serial BUS).
  • the authentication information may be an account name or a password set by the user, or may be a personal information such as a user's name, a work number, an ID number, or a digital certificate, a dynamic password, or the like.
  • Information where digital certificate refers to a series of data in the Internet communication that identifies the identity information of the parties to the communication, and provides a way to verify the identity of the user on the Internet, which is similar to the driver's license or the ID card in daily life.
  • Dynamic passwords are random number combinations that are generated according to a special algorithm.
  • the main forms are mobile phone text messages, hardware tokens, mobile phone tokens, and dynamic passwords.
  • the resource security access device When the resource security access device is activated by the user, the resource security access device also reads the browser software summary used by the user, and the browser software summary is the identifier of the browser, which may be a string, through the string, the resource.
  • the secure access device can determine whether it is overwritten by an external illegal operation to create an unsafe hidden danger.
  • the resource security access device If the identity verification information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, the resource security access device generates the user.
  • the authorization result the authorization result includes a list of accessible resources.
  • the resource security access device After the resource security access device obtains the user's authentication information and the browser software summary, it checks it separately.
  • the resource security access device authenticates the obtained user authentication information and the browser software summary to the authentication module of the resource security access device through a tunnel established by SSL (Secure Sockets Layer) negotiation, wherein, S SL is a secure protocol that provides security and data integrity for network communications, encrypting network connections at the transport layer.
  • SSL Secure Sockets Layer
  • the information and browser software summary is not limited to authentication by the authentication module sent to the resource security access device through the tunnel established by the SSL protocol, or may be tunneled based on a security protocol such as TLS (Transport Layer Security).
  • the authentication module of the resource security access device performs authentication.
  • the resource security access device sends the obtained authentication information of the user and the browser software summary to the authentication module of the resource security access device through the tunnel established by the SSL negotiation, and the authentication information is pre-stored in the user trust list.
  • the user information matches, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, indicating that the user is authenticated, thereby allowing the user to browse resources.
  • the resource security access device After the user passes the identity information verification, the resource security access device generates the authorization result of the user, and the authorization result includes a list of accessible resources, so that the user can access the resource through the resource list.
  • the resource security access device displays the accessible resource list, so that the user inputs the access instruction according to the accessible resource list.
  • the resource security access device After the user passes the identity information verification, the resource security access device generates a user authorization result, and the authorization result includes an accessible resource list and a resource usage policy, and is displayed to the user through the resource security access device, so that the user can input through the resource list. instruction.
  • the authorization result generated by the resource security access device includes a list of accessible resources, wherein the resource list is displayed to the user in the form of a resource bookmark page, and the resource bookmark is based on a resource page built in the resource security access device.
  • the template is constructed not only by web resources, but also by applications, desktops, virtual machines, etc., so that users can find their own resources clearly and conveniently, and then input access commands.
  • the resource security access device acquires a resource of a pre-stored resource or server indicated by the access instruction.
  • the resource security access device receives the access instruction input by the user, and acquires a pre-stored resource or a resource of the server indicated by the access instruction. It should be added that the pre-stored resources indicated by the access instruction or the resources of the server respectively represent different resource types, and the resource security access device divides the resources into offline resources and resources that the user needs to access online.
  • the pre-stored resource refers to a resource that the user can access offline.
  • the resource of the server refers to a resource that the user needs to access online.
  • the offline resource is a resource that is stored in the resource security access device and is obtained from the server in advance by the resource security access device.
  • the server If the resource of the server indicated by the access instruction is obtained, that is, the resource that the user needs to access online, the server transmits the data according to the encrypted tunnel of the security protocol, and the resource is collectively displayed to the user.
  • a method for securely accessing resources obtains user identity verification information and browser software summary, and if the identity verification information matches the corresponding user information pre-stored in the user trust list, the browser software abstract Corresponding to the corresponding browser software summary information pre-stored in the browser trust list, the authorization result of the user is generated, wherein the authorization result includes a list of accessible resources, and displays a list of accessible resources, so that the user is accessible according to the
  • the resource list enters an access instruction and obtains a pre-stored resource or server resource indicated by the access instruction.
  • the embodiment of the invention provides a resource security access method. As shown in FIG. 2, the method includes:
  • the S20 resource security access device obtains the user's authentication information, browser software summary, and hardware key identifier.
  • the resource security access device when the resource security access device is activated by the user, the resource security access device first reads the identity verification page of the built-in user, and the user needs to input the identity through the identity verification page of the user. Verify the information, then insert the hardware key, the resource security access device automatically extracts The hardware key identifier, wherein the hardware key of the embodiment of the present invention may be a small-sized storage device with a password verification function and a reliable high-speed connection directly connected to the computer through the USB.
  • the authentication information may be an account name or a password set by the user, or may be a personal information such as a user's name, a work number, an ID number, or a digital certificate, a dynamic password, or the like.
  • Information where digital certificate refers to a series of data in the Internet communication that identifies the identity information of the parties to the communication, and provides a way to verify the identity of the user on the Internet, which is similar to the driver's license or the ID card in daily life.
  • Dynamic passwords are random number combinations that are generated according to a special algorithm.
  • the main forms are mobile phone text messages, hardware tokens, mobile phone tokens, and dynamic passwords.
  • the resource security access device When the resource security access device is activated by the user, the resource security access device also reads the browser software summary used by the user, and the browser software summary is the identifier of the browser, which may be a string, through the string, the resource.
  • the secure access device can determine whether it is overwritten by an external illegal operation to create an unsafe hidden danger.
  • the resource security access device If the authentication information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, and the hardware key identifier and pre-stored When the corresponding hardware key information in the hardware key list matches, the resource security access device generates an authorization result of the user, and the authorization result includes an accessible resource list and a resource usage policy.
  • the resource security access device After the resource security access device obtains the user's authentication information, the browser software summary, and the hardware key identifier, it is verified separately.
  • the resource security access device authenticates the obtained user's authentication information, the browser software digest, and the hardware key identifier through an authentication module established by the SSL negotiation to the resource security access device, where the S SL is for network communication.
  • a security protocol that provides security and data integrity, encrypting network connections at the transport layer.
  • the authentication information, the browser software digest, and the hardware key identifier of the user acquired by the resource security access device are not limited to being authenticated by the authentication module sent to the resource security access device through the tunnel established by the S SL protocol.
  • the authentication module that sends the tunnel to the resource security access device is established by using a security protocol such as TLS to perform authentication.
  • the resource security access device sends the obtained user's authentication information, the browser software digest, and the hardware key identifier to the authentication module of the resource security access device through the tunnel established by the S SL negotiation, and the authentication information is pre-stored.
  • the corresponding user information in the user trust list matches, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, and the hardware key identifier and the corresponding hardware pre-stored in the hardware key list If the key information matches, it indicates that the user is authenticated, thereby allowing the user to browse resources.
  • the resource security access device After the user passes the identity information verification, the resource security access device generates the authorization result of the user, and the authorization result includes an accessible resource list and a resource usage policy, so that the user can access the resource through the resource list.
  • the pre-stored resources indicated by the access instruction or the resources of the server respectively represent different resource types, and the resource security access device divides the resources into offline resources and resources that the user needs to access online.
  • the pre-stored resource refers to a resource that the user can access offline
  • the resource of the server refers to a resource that the user needs to access online.
  • the offline resource is a resource that is stored in the resource security access device and is obtained from the server in advance by the resource security access device.
  • the resource security access device divides the security level of all files into 10 levels according to a policy.
  • User A is an employee whose company is still in the internship period, and the user rights information indicates that the user is not allowed to upload and download resources
  • user B is a certain The general employee of the company
  • the user permission information indicates that the user is allowed to upload and download resources
  • the resource security access level information is level 3, that is, the level of the resource that the user is allowed to download is 3, indicating that the user can download the resource level to level 1, Level 2 and Level 3
  • User C is the administrator of a company.
  • the user rights information indicates that the user is allowed to upload and download resources.
  • the resource security access level information is level 10, that is, the level of the resource that the user is allowed to download is 10, indicating that All resources that users can download.
  • the resource security access device displays the accessible resource list, so that the user inputs the access instruction according to the accessible resource list.
  • the resource security access device After the user passes the identity information verification, the resource security access device generates a user authorization result, and the authorization result includes an accessible resource list and a resource usage policy, and is displayed to the user through the resource security access device, so that the user can input through the resource list. instruction.
  • the authorization result generated by the resource security access device includes the accessible resource list and the resource usage policy, wherein the resource list is displayed to the user in the form of a resource bookmark page, and the resource bookmark is based on the resource security access device.
  • Built-in resource page templates are constructed.
  • the bookmarks not only include web resources, but also applications, desktops, virtual machines and other resources, so that users can find their own resources clearly and conveniently, and then input access commands.
  • the resource security access device acquires a pre-stored resource or a resource of the server indicated by the access instruction according to the resource usage policy.
  • the resource security access device receives the access instruction input by the user, and acquires the pre-stored resource or the resource of the server indicated by the access instruction according to the resource usage policy.
  • the pre-stored resources indicated by the access instruction or the resources of the server respectively refer to different resource types, and the resource security access device divides the resources into resources that can be accessed offline and resources that need to be accessed by users online.
  • the pre-stored resource refers to the resource that the user can access offline.
  • the resource of the server refers to the resource that the user needs to access online.
  • the resource that the user can access offline is pre-made in the browser before the user uses the browser.
  • the server If the resource of the server indicated by the access instruction is obtained, that is, the resource that the user needs to access online, the server transmits the data according to the encrypted tunnel of the security protocol, and the resource is displayed to the user according to the resource usage policy.
  • the resource security access device stores the resource acquired from the server.
  • the resource security access device encrypts the resources of the obtained server.
  • steps S205 and S206 the steps of how the resource security access device obtains resources from the server and encrypts the resources are described.
  • the pre-stored resources indicated by the access instruction or the resources of the server respectively refer to different resource types, and the resource security access device divides the resources into offline-accessible resources.
  • Source and resources that require user access online Pre-stored resources refer to resources that users can access offline.
  • Server resources refer to resources that users need to access online.
  • the offline resource is stored in the browser before the user uses the browser, and the offline resource is encrypted by the resource security access device to prevent the data from being viewed by the illegal software outside.
  • the server transmits the data based on the encrypted tunnel of the security protocol.
  • the data cache is encrypted, an encryption token and a temporary index key are attached to the HTTP (Hypertext Transport Protocol) response header, and the response information is passed.
  • HTTP Hypertext Transport Protocol
  • the resource security access device parses, according to the encryption mark and the temporary key index, the security gateway of the resource security access device is requested to obtain a one-time session key, and the encrypted document is decrypted by the key and displayed to the user.
  • the resource security access device stores the resources acquired from the server in addition to the cache and offline resources, and also includes the user's behavior policy, wherein the user's behavior policy refers to recording the user access behavior, the downloaded file, and the opened file. Documents, etc.
  • the resource security access device does not acquire the resource of the server indicated by the access instruction.
  • the access time of the user is timed out, and the resource security access device automatically terminates the access operation of the user, and does not obtain the resources of the server indicated by the access instruction.
  • the resource security access device deletes the stored resource acquired from the server and deletes the resource downloaded by the user.
  • the resource security access device triggers the log-out behavior, and the resource security access device deletes the stored resources acquired from the server and deletes the resources downloaded by the user, thereby ensuring data security.
  • a method for securely accessing resources obtains user identity verification information, browser software summary, and hardware key identifier, and if the identity verification information matches the corresponding user information pre-stored in the user trust list.
  • the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, and the hardware key identifier is associated with the corresponding hardware key information pre-stored in the hardware key list.
  • the authorization result of the user is generated, where the authorization result includes an accessible resource list, a resource usage policy, and a list of accessible resources, so that the user inputs the access instruction according to the accessible resource list, and according to the resource usage policy.
  • the embodiment of the present invention provides a resource security access device 1 .
  • the functional unit of the resource security access device 1 can be used in the foregoing method steps. As shown in FIG. 3 , the method includes:
  • the local service module 10 is configured to obtain the user's authentication information and the browser software summary, and display the accessible resource list, so that the user inputs the access instruction according to the accessible resource list.
  • the local service module 10 is further configured to obtain a hardware key identifier.
  • the resource security access device 1 In the modern enterprise office mode, business access based on browser web pages has gradually become the main form of enterprise office, which can improve the work efficiency of enterprise employees and make full use of the convenience of the Internet.
  • the local service module 10 reads the identity verification page of the built-in user, and the user needs to input through the user's identity verification page. The authentication information is then inserted into the hardware key according to the user's requirement. If the hard key is inserted, the resource security access device 1 automatically extracts the hardware key identifier.
  • the hardware key of the embodiment of the present invention may be directly through the USB.
  • a reliable, high-speed, small-sized storage device with password authentication that is connected to a computer.
  • the authentication information may be an account name or a password set by the user, or may be a personal information such as a user's name, a work number, an ID number, or a digital certificate, a dynamic password, or the like.
  • Information where digital certificate refers to a series of data in the Internet communication that identifies the identity information of the parties to the communication, and provides a way to verify the identity of the user on the Internet, which is similar to the driver's license or the ID card in daily life.
  • Dynamic passwords are randomly generated according to specialized algorithms. The digital combination mainly produces mobile phone text messages, hardware tokens, mobile phone tokens, and dynamic passwords.
  • the local service module 10 When the resource security access device 1 is started by the user, the local service module 10 also reads the browser software summary used by the user, and the browser software summary is the identifier of the browser, which may be a string, through the string. The resource security access device 1 can determine whether it is overwritten by an external illegal operation to generate an unsafe hidden danger.
  • the resource security access device 1 After the user passes the identity information verification, the resource security access device 1 generates a user authorization result, and the authorization result includes a list of accessible resources, and is displayed to the user through the resource security access device 1 to enable the user to input the access command through the resource list.
  • the resource security access device 1 generates a user authorization result including an accessible resource list and a resource usage policy, wherein the resource list is displayed to the user in the form of a resource bookmark page, and the resource bookmark is according to the resource security access device 1
  • Built-in resource page templates are constructed.
  • the bookmarks not only include web resources, but also applications, desktops, virtual machines and other resources, so that users can find their own resources clearly and conveniently, and then input access commands.
  • the authentication module 1 1 is configured to: if the authentication information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, the user is generated.
  • the authorization result, the authorization result includes a list of accessible resources.
  • the authentication module 1 1 is further configured to generate an authorization result of the user if the hardware key identifier matches the corresponding hardware key information pre-stored in the hardware key list.
  • the authorization result further includes a resource usage policy.
  • the resource security access device 1 After the resource security access device 1 obtains the user's authentication information, the browser software digest, and the hardware key identifier, it is verified separately.
  • the resource security access device 1 authenticates the obtained user's authentication information, the browser software digest, and the hardware key identifier to the authentication module 1 1 of the resource security access device 1 through the tunnel established based on the S SL negotiation, where, S SL is a security protocol that provides security and data integrity for network communications, encrypting network connections at the transport layer.
  • S SL is a security protocol that provides security and data integrity for network communications, encrypting network connections at the transport layer.
  • the authentication information, the browser software digest, and the hardware key identifier of the user acquired by the resource security access device 1 are not limited to the authentication module sent to the resource security access device 1 through the tunnel established based on the S SL protocol.
  • the tunnel may be sent to the authentication module 11 of the resource security access device 1 for authentication based on a security protocol such as TLS.
  • the resource security access device 1 sends the obtained user's authentication information, the browser software digest, and the hardware key identifier to the authentication module 1 1 of the resource security access device 1 through the tunnel established based on the SSL negotiation for authentication, if the identity verification information Matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, and the hardware key identifier is pre-stored in the hardware key list. If the corresponding hardware key information matches, the user has passed the authentication, so that the resource can continue to be browsed.
  • the resource security access device 1 After the user passes the identity information verification, the resource security access device 1 generates a user authorization result, and the authorization result includes an accessible resource list and a resource usage policy, so that the user can access the resource through the resource list.
  • the resource security access device 1 After the user passes the identity information verification, the resource security access device 1 generates the authorization result of the user, and the authorization result includes the accessible resource list and the resource usage policy, so that the user can access the resource through the resource list, and includes User rights information and resource security access level information, wherein the user rights information indicates whether the user is allowed to upload or download resources, and the resource security access level information indicates the level of resources that the user is allowed to download.
  • the resource security access device 1 divides the security level of all files into 10 levels according to a policy.
  • User A is an employee whose company is still in the internship period, and the user rights information indicates that the user is not allowed to upload and download resources
  • user B is A common employee of a company
  • the user rights information indicates that the user is allowed to upload and download resources
  • the resource security access level information is level 3, that is, the level of the resource that the user is allowed to download is 3, indicating that the user can download the resource level to level 1.
  • Level 2 and Level 3 User C is the administrator of a company.
  • the user rights information indicates that the user is allowed to upload and download resources.
  • the resource security access level information is level 10, that is, the level of resources that the user is allowed to download is 10, All resources that the user can download.
  • the secure communication module 12 is configured to obtain a pre-stored resource or a resource of the server indicated by the access instruction according to the resource usage policy.
  • the secure communication module 12 is specifically configured to acquire, according to the resource usage policy, a pre-stored resource or a resource of the server indicated by the access instruction.
  • the resource security access device 1 receives the access command input by the user, and acquires a pre-stored resource or a resource of the server indicated by the access command according to the resource usage policy.
  • the pre-stored resources indicated by the access instruction or the resources of the server respectively refer to different resource types, and the resource security access device 1 divides the resources into resources that can be accessed offline and resources that need to be accessed by users online.
  • Pre-stored resources refer to resources that users can access offline.
  • Server resources refer to resources that users need to access online. Resources that users can access offline are pre-made in the browser before users use the browser.
  • the server If the resource of the server indicated by the access instruction is obtained, that is, the resource that the user needs to access online, the server transmits the data according to the encrypted tunnel of the security protocol, and the resource is displayed to the user according to the resource usage policy.
  • the secure communication module 12 is further configured to not acquire the resource of the server indicated by the access instruction if the access instruction input by the user is received after the preset period.
  • the access time of the user is timed out, and the resource security access device 1 automatically terminates the access operation of the user, and does not acquire the resource of the server indicated by the access instruction.
  • the resource security access device 1 further includes: a storage module 13 that stores resources acquired from the server.
  • the resource security access device 1 further includes: an encryption module 14 configured to encrypt the resources of the obtained server.
  • the pre-stored resources indicated by the access instruction or the resources of the server respectively refer to different resource types, and the resource security access device 1 divides the resources into resources that can be accessed offline and resources that need to be accessed by the user online.
  • Pre-stored resources refer to resources that users can access offline.
  • Server resources refer to resources that users need to access online.
  • the server transmits the data based on the encrypted tunnel of the security protocol.
  • the encryption token and the temporary index key are attached to the HTTP response header.
  • the response information is parsed by the resource security access device 1, the encryption is performed according to the encryption.
  • the tag and the temporary key index request the security gateway of the resource security access device 1 to acquire the one-time session key, and the encrypted document is decrypted by the key and presented to the user.
  • the resource security access device 1 stores the resources acquired from the server in addition to the cache and offline resources, and also includes the user's behavior policy, wherein the user's behavior policy refers to recording user access behavior, downloaded files, and playing. Documents and so on.
  • the storage module 13 is further configured to delete the stored resource acquired from the server and delete the resource downloaded by the user if receiving the logout or exit instruction input by the user.
  • the resource security access device 1 triggers the log-out behavior, and the resource security access device 1 deletes the stored resources acquired from the server and deletes the resources downloaded by the user, thereby ensuring data security. .
  • the device 1 for secure access of resources obtained by the embodiment of the present invention obtains the user's identity verification information and the browser software summary, and if the identity verification information matches the corresponding user information pre-stored in the user trust list, the browser software The summary matches the corresponding browser software summary information pre-stored in the browser trust list, and generates a user authorization result, where the authorization result includes a list of accessible resources, and displays a list of accessible resources, so that the user can The accessed resource list enters an access instruction and obtains a pre-stored resource or server resource indicated by the access instruction.
  • the user's authentication information, the browser software digest, and the hardware key identifier are authenticated, only the authenticated user can access the server, thereby enabling the user to securely access the server's resources and implement the server resources. protection of.
  • the embodiment of the present invention provides a resource security accessor 2, which corresponds to the foregoing solution embodiment, and each functional unit of the resource security accessor 2 can be used in the foregoing method steps. As shown in Figure 6, it includes:
  • the secure browser 20 is configured to obtain the user's authentication information and the browser software summary, and display the accessible resource list, so that the user inputs the access instruction according to the accessible resource list, and obtains the pre-stored indication indicated by the access instruction.
  • Resource or server resource
  • the secure browser is further configured to obtain a hardware key identifier.
  • the method for secure access of resources when the resource security accessor 2 is started by the user, first reads the identity verification page of the user built in the resource security accessor 2, the user needs to input the authentication information, and then inserts the hardware.
  • the key the resource security accessor 2 automatically extracts the hardware key identifier, wherein the hardware key refers to a reliable high-speed small storage device with a password verification function directly connected to the computer through the USB.
  • the authentication information may be an account name or a password set by the user, or may be a personal information such as a user's name, a work number, an ID number, or a digital certificate, a dynamic password, or the like.
  • Information where digital certificate refers to a series of data in the Internet communication that identifies the identity information of the parties to the communication, and provides a way to verify the identity of the user on the Internet, which is similar to the driver's license or the ID card in daily life.
  • Dynamic passwords are random number combinations that are generated according to a special algorithm.
  • the main forms are mobile phone text messages, hardware tokens, mobile phone tokens, and dynamic passwords.
  • the resource security accessor 2 When the resource security accessor 2 is started by the user, the resource security accessor 2 also reads the browser software summary, and we can treat the browser software summary as a string unique to the browser itself, through the string of characters. String, we can know whether the resource security accessor 2 is overwritten by external illegal operation and creates an insecure risk.
  • the resource security accessor 2 After the user passes the identity information verification, the resource security accessor 2 generates the authorization result of the user, and the authorization result includes the accessible resource list and the resource usage policy, and is displayed to the user through the resource security accessor 2, so that the user can pass the resource list. Input visit Ask for instructions.
  • the resource security accessor 2 generates the user's authorization result including the accessible resource list and the resource usage policy, wherein the resource list is presented to the user in the form of a resource bookmark page, and the resource bookmark is based on the resource security access.
  • the built-in resource page template of the device 2 not only includes the webpage resources, but also includes resources such as an application, a desktop, a virtual machine, etc., so that the user can find the resources required by the user clearly and conveniently, and then input the access instruction.
  • the resource security accessor 2 receives the access instruction input by the user, and acquires the pre-stored resource or the resource of the server indicated by the access instruction according to the resource usage policy.
  • the pre-stored resources indicated by the access instruction or the resources of the server respectively refer to different resource types, and the resource security accessor 2 divides the resources into resources that can be accessed offline and resources that need to be accessed by users online.
  • the pre-stored resource refers to the resource that the user can access offline.
  • the resource of the server refers to the resource that the user needs to access online.
  • the resource that the user can access offline is pre-made in the browser before the user uses the browser.
  • the server If the resource of the server indicated by the access instruction is obtained, that is, the resource that the user needs to access online, the server transmits the data according to the encrypted tunnel of the security protocol, and the resource is displayed to the user according to the resource usage policy.
  • the security gateway 21 is configured to: if the authentication information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, the generated user Authorization results, authorization results include a list of accessible resources.
  • the security gateway is further configured to generate an authorization result of the user if the hardware key identifier matches the corresponding hardware key information pre-stored in the hardware key list.
  • the authorization result further includes a resource usage policy
  • the secure browser is specifically configured to acquire, according to the resource usage policy, a pre-stored resource or a resource of the server indicated by the access instruction.
  • Resource Security Accessor 2 obtains the user's authentication information, browser software abstract After the hardware key is identified, it is verified separately.
  • the resource security accessor 2 authenticates the obtained user's authentication information, the browser software digest, and the hardware key identifier to the authentication module of the resource security accessor 2 through a tunnel established based on the S SL negotiation, where S SL is A security protocol that provides security and data integrity for network communications, encrypting network connections at the transport layer.
  • the authentication information, the browser software digest, and the hardware key identifier of the user acquired by the resource security accessor 2 are not limited to the authentication module sent to the resource security accessor 2 through the tunnel established based on the S SL protocol.
  • a tunnel may be sent to the authentication module of the resource security accessor 2 for authentication based on a security protocol such as TLS.
  • the resource security accessor 2 sends the obtained user's authentication information, the browser software digest, and the hardware key identifier to the authentication module of the resource security accessor 2 through the tunnel established based on the S SL negotiation for authentication, if the authentication information and the authentication information are The corresponding user information pre-stored in the user trust list matches, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, and the hardware key identifier is corresponding to the pre-stored in the hardware key list. If the hardware key information matches, the user has passed the authentication, so that the resource can continue to be browsed.
  • the resource security accessor 2 After the user passes the identity information verification, the resource security accessor 2 generates the authorization result of the user, and the authorization result includes the accessible resource list and the resource usage policy, so that the user can access the resource through the resource list.
  • the resource security accessor 2 After the user passes the identity information verification, the resource security accessor 2 generates the authorization result of the user, and the authorization result includes the accessible resource list and the resource usage policy, so that the user can access the resource through the resource list, and includes User rights information and resource security access level information, wherein the user rights information indicates whether the user is allowed to upload or download resources, and the resource security access level information indicates the level of resources that the user is allowed to download.
  • the resource security accessor 2 divides the security level of all files into 10 levels according to the policy.
  • User A is an employee whose company is still in the internship period, and the user rights information indicates that the user is not allowed to upload and download resources
  • user B is Ordinary employee of a company
  • the user right information indicates that the user is allowed to upload and download resources.
  • the resource security access level information is level 3, that is, the level of the resource that is allowed to be downloaded by the user is 3, indicating that the user can download the resource level as level 1, level 2, and level 3.
  • User C is the administrator of a company.
  • the user rights information indicates that the user is allowed to upload and download resources.
  • the resource security access level information is level 10, that is, the level of the resource that the user is allowed to download is 10, indicating that the user can download all resource of.
  • the security gateway 21 is further configured to not acquire the resource of the server indicated by the access instruction if the access instruction input by the user is received after the preset period.
  • the access time of the user is timed out, and the resource security accessor 2 automatically terminates the access operation of the user, and does not obtain the resource of the server indicated by the access instruction.
  • the secure browser 20 is further configured to store resources acquired from the server. Further, the security gateway 21 is further configured to encrypt the resources of the obtained server.
  • the pre-stored resources indicated by the access instruction or the resources of the server refer to different resource types, respectively, and the resource security accessor 2 divides the resources into resources that can be accessed offline and resources that need to be accessed online by the user.
  • Pre-stored resources refer to resources that users can access offline.
  • Server resources refer to resources that users need to access online.
  • the offline resource is stored in the browser before the user uses the browser, and the offline resource is encrypted by the resource security accessor 2 to prevent the data from being viewed by the illegal software outside.
  • the server transmits the data based on the encrypted tunnel of the security protocol.
  • the encryption token and the temporary index key are attached to the HTTP response header, and the response information is parsed by the resource security accessor 2, according to the encryption.
  • the tag and the temporary key index request the security gateway 21 of the resource security accessor 2 to acquire the one-time session key, and the encrypted document is decrypted by the key and displayed to the user.
  • the resource security accessor 2 stores the resources acquired from the server in addition to the cache and offline resources, and also includes the user's behavior policy, wherein the user's behavior policy refers to recording user access behavior, downloaded files, and playing Documents and so on. Further, the resource security accessor 2 is further configured to delete the stored resource acquired by the server and delete the resource downloaded by the user if receiving the logout or exit instruction input by the user.
  • the resource security accessor 2 triggers the logout tunneling behavior, and the resource security accessor 2 deletes the stored resources acquired from the server and deletes the resources downloaded by the user, thereby ensuring data security. .
  • the device for securely accessing resources obtains the user's identity verification information and the browser software summary, and if the identity verification information matches the corresponding user information pre-stored in the user trust list, the browser software abstract Corresponding to the corresponding browser software summary information pre-stored in the browser trust list, the authorization result of the user is generated, wherein the authorization result includes a list of accessible resources, and displays a list of accessible resources, so that the user is accessible according to the
  • the resource list enters an access instruction and obtains a pre-stored resource or server resource indicated by the access instruction.
  • the resource security access device can be set in other user devices, for example, a tablet computer, etc., and also enables users to securely access server resources and implement server resources. protection of.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to the technical field of communications/information technology. An embodiment of the present invention provides a method and device for secure access to a resource; said embodiment enables authentication of the identity authentication information and the browser software summary of a user, enabling a user to access a resource of a server securely and protecting the server resource. The method comprises: acquiring both the identity authentication information and the browser software summary of a user; generating a result for user authorization if the identity authentication information matches the corresponding user information prestored in a list of trusted users, and if the browser software summary matches the corresponding browser software summary information prestored in a list of trusted browsers; displaying a list of accessible resources, so that the user can enter an access instruction according to said list of accessible resources; and acquiring a prestored resource or server resource as indicated in the access instruction.

Description

一种资源安全访问方法及装置 技术领域  Resource security access method and device

本发明涉及通信 /信息技术领域, 尤其涉及一种资源安全访问方 法及装置。  The present invention relates to the field of communication/information technology, and in particular, to a resource security access method and apparatus.

背景技术 Background technique

随着集成电路技术的飞速发展, 移动终端已经拥有了强大的处 理能力, 并且正在从简单的通话工具变为一个综合信息处理平台。 近年来, 越来越多的企业开始选择使用移动终端接入企业内网进行 移动办公的办公方式, 以提高企业员工工作效率, 充分利用移动互 联网便利性。 其中, 网页是企业信息技术业务的主要承载方式, 绝 大多数的企业业务均会提供网页化的应用, 例如: 企业门户、 办公 自动化系统、 邮件、 企业资源计划、 客户关系管理和财务系统等, 都会提供网页服务, 以方便用户通过各类终端访问。 因此, 基于浏 览器网页的业务访问已经逐渐成为企业办公的主要形式, 而且随着 With the rapid development of integrated circuit technology, mobile terminals have acquired powerful processing capabilities and are moving from simple call tools to an integrated information processing platform. In recent years, more and more enterprises have begun to choose mobile terminals to access the intranet for mobile office work, to improve the efficiency of enterprise employees and make full use of the convenience of mobile internet. Among them, the webpage is the main carrier of the enterprise information technology business, and most of the enterprise business will provide web-based applications, such as: enterprise portal, office automation system, mail, enterprise resource planning, customer relationship management and financial system, etc. Web services are provided to facilitate users to access through various types of terminals. Therefore, business access based on browser web pages has gradually become the main form of corporate office, and with

HTML 5 ( Hypertext Markup Language 5 , 超文本标记语言第 5版) 的兴起, 网页应用的普及趋势会愈加明显, 进而, 人们对网页应用 的安全性要求也越来越高。 With the rise of HTML 5 (Hypertext Markup Language 5, Hypertext Markup Language 5th Edition), the popularity of web applications will become more apparent. In turn, the security requirements for web applications are increasing.

现有技术中, 实现移动终端安全接入的通用安全技术为采用 VPN ( Virtual Private Network , 虚拟安全网络), 然而, 一方面, 由 于现有 VPN技术需获取高级访问权限, 需要操作系统进行授权, 因 此对于不同的应用制造商, 需要进行兼容性开发, 从而致使 VPN技 术的通用性差; 另一方面, VPN无法对进行精细的访问控制, 企业 数据通过 VPN下载到本地后未加保护, 存在较大的泄密风险。  In the prior art, a universal security technology for implementing secure access of a mobile terminal is a VPN (Virtual Private Network). However, on the one hand, the existing VPN technology needs to obtain advanced access rights, and the operating system is required to perform authorization. Therefore, for different application manufacturers, compatibility development is required, which results in poor versatility of the VPN technology. On the other hand, the VPN cannot perform fine access control, and the enterprise data is not protected after being downloaded to the local area through the VPN, and there is a large The risk of leaking.

发明内容 Summary of the invention

本发明的实施例提供一种资源安全访问方法、 装置及系统, 能 够对用户的身份验证信息和浏览器软件摘要进行验证, 以便用户安 全地访问服务器的资源, 实现服务器资源的保护。 为达到上述目 的, 本发明的实施例采用如下技术方案: 第一方面, 本发明实施例提供一种资源安全访问方法, 该方法 包括: The embodiments of the present invention provide a resource security access method, device, and system, which can verify user authentication information and browser software digest, so that users can securely access server resources and protect server resources. To achieve the above objective, the embodiment of the present invention adopts the following technical solutions: In a first aspect, an embodiment of the present invention provides a resource security access method, where the method includes:

获取用户的身份验证信息和浏览器软件摘要;  Obtain the user's authentication information and browser software summary;

若所述身份验证信息与预存于用户信任列表中相应的用户信息 相匹配, 所述浏览器软件摘要与预存于浏览器信任列表中相应的浏 览器软件摘要信息相匹配, 则生成所述用户的授权结果, 所述授权 结果包括可访问的资源列表;  If the authentication information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, generating the user's Authorization result, the authorization result includes a list of accessible resources;

显示所述可访问的资源列表, 以使得所述用户根据所述可访问 的资源列表输入访问指令;  Displaying the accessible resource list to cause the user to input an access instruction according to the accessible resource list;

获取所述访问指令所指示的预先存储的资源或服务器的资源。 在第一种可能的实现方式中, 根据第一方面, 该方法还包括: 获取硬件密钥标识;  Obtaining a pre-stored resource or a resource of the server indicated by the access instruction. In a first possible implementation manner, according to the first aspect, the method further includes: acquiring a hardware key identifier;

若所述硬件密钥标识与预存于硬件密钥列表中相应的硬件密钥 信息相匹配, 则生成所述用户的授权结果。  If the hardware key identifier matches the corresponding hardware key information pre-stored in the hardware key list, the authorization result of the user is generated.

在第二种可能的实现方式中, 结合第一方面或第一种可能的实 现方式, 所述授权结果还包括资源使用策略;  In a second possible implementation manner, in combination with the first aspect or the first possible implementation manner, the authorization result further includes a resource usage policy;

其中, 所述获取所述访问指令所指示的预先存储的资源或服务 器的资源包括:  The acquiring the resources of the pre-stored resource or the server indicated by the access instruction includes:

按照所述资源使用策略获取所述访问指令所指示的预先存储的 资源或服务器的资源。  Obtaining a pre-stored resource or a resource of the server indicated by the access instruction according to the resource usage policy.

在第三种可能的实现方式中, 结合第一方面或第一种可能的实 现方式或第二种可能的实现方式, 该方法还包括:  In a third possible implementation, in combination with the first aspect or the first possible implementation manner or the second possible implementation manner, the method further includes:

若在预设周期后接收到用户输入的所述访问指令, 则不获取所 述访问指令所指示的服务器的资源。  If the access instruction input by the user is received after the preset period, the resource of the server indicated by the access instruction is not acquired.

在第四种可能的实现方式中, 结合第一方面或第一种可能的实 现方式至第三种可能的实现方式, 该方法还包括:  In a fourth possible implementation, in combination with the first aspect or the first possible implementation manner to the third possible implementation manner, the method further includes:

所述授权结果还包括用户权限信息, 所述用户权限信息指示是 否允许所述用户上传或下载资源。 在第五种可能的实现方式中, 结合第一方面或第一种可能的实 现方式至第四种可能的实现方式, 该方法还包括: The authorization result further includes user rights information, and the user rights information indicates whether the user is allowed to upload or download resources. In a fifth possible implementation, in combination with the first aspect or the first possible implementation manner to the fourth possible implementation manner, the method further includes:

所述授权结果还包括资源安全访问等级信息, 所述资源安全访 问等级信息指示允许所述用户下载的资源的等级。  The authorization result further includes resource security access level information, and the resource security access level information indicates a level of resources that the user is allowed to download.

第二方面, 本发明实施例还提供一种资源安全访问装置, 该装 置包括:  In a second aspect, the embodiment of the present invention further provides a resource security access device, where the device includes:

本地服务模块, 用于获取用户的身份验证信息和浏览器软件摘 要, 以及显示所述可访问的资源列表, 以使得所述用户根据所述可 访问的资源列表输入访问指令;  a local service module, configured to obtain authentication information and a browser software summary of the user, and display the accessible resource list, so that the user inputs an access instruction according to the accessible resource list;

认证模块, 用于若所述身份验证信息与预存于用户信任列表中 相应的用户信息相匹配, 所述浏览器软件摘要与预存于浏览器信任 列表中相应的浏览器软件摘要信息相匹配, 则生成所述用户的授权 结果, 所述授权结果包括可访问的资源列表;  An authentication module, configured to: if the authentication information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, Generating an authorization result of the user, where the authorization result includes a list of accessible resources;

安全通信模块, 用于获取所述访问指令所指示的预先存储的资 源或服务器的资源。  And a secure communication module, configured to acquire resources of a pre-stored resource or server indicated by the access instruction.

在第一种可能的实现方式中, 根据第二方面,  In a first possible implementation manner, according to the second aspect,

所述本地服务模块, 还用于获取硬件密钥标识;  The local service module is further configured to obtain a hardware key identifier;

所述认证模块, 还用于若所述硬件密钥标识与预存于硬件密钥 列表中相应的硬件密钥信息相匹配, 则生成所述用户的授权结果。  The authentication module is further configured to generate an authorization result of the user if the hardware key identifier matches a corresponding hardware key information pre-stored in the hardware key list.

在第二种可能的实现方式中, 结合第二方面或第一种可能的实 现方式, 所述授权结果还包括资源使用策略;  In a second possible implementation manner, in combination with the second aspect or the first possible implementation manner, the authorization result further includes a resource usage policy;

其中, 所述安全通信模块, 具体用于按照所述资源使用策略获 取所述访问指令所指示的预先存储的资源或服务器的资源。  The secure communication module is specifically configured to obtain, according to the resource usage policy, a pre-stored resource or a resource of the server indicated by the access instruction.

在第三种可能的实现方式中, 结合第二方面或第一种可能的实 现方式或第二种可能的实现方式, 所述安全通信模块, 还用于若在 预设周期后接收到用户输入的所述访问指令, 则不获取所述访问指 令所指示的服务器的资源。  In a third possible implementation, the security communication module is further configured to receive user input after a preset period, in combination with the second aspect or the first possible implementation manner or the second possible implementation manner. The access instruction does not acquire the resource of the server indicated by the access instruction.

在第四种可能的实现方式中, 结合第二方面或第一种可能的实 现方式至第三种可能的实现方式, 所述授权结果还包括用户权限信 息, 所述用户权限信息指示是否允许所述用户上传或下载资源。 在第五种可能的实现方式中, 结合第二方面或第一种可能的实 现方式至第四种可能的实现方式, 所述授权结果还包括资源安全访 问等级信息, 所述资源安全访问等级信息指示允许所述用户下载的 资源的等级。 In a fourth possible implementation manner, combining the second aspect or the first possible implementation manner to the third possible implementation manner, the authorization result further includes a user authority information. The user rights information indicates whether the user is allowed to upload or download resources. In a fifth possible implementation manner, in combination with the second aspect or the first possible implementation manner to the fourth possible implementation manner, the authorization result further includes resource security access level information, and the resource security access level information Indicates the level of resources that the user is allowed to download.

第三方面, 本发明实施例还提供一种资源安全访问器, 该资源 安全访问器包括:  In a third aspect, the embodiment of the present invention further provides a resource security accessor, where the resource security accessor includes:

安全浏览器,用于获取用户的身份验证信息和浏览器软件摘要, 以及显示所述可访问的资源列表, 以使得所述用户根据所述可访问 的资源列表输入访问指令, 以及获取所述访问指令所指示的预先存 储的资源或服务器的资源;  a secure browser for obtaining authentication information and a browser software summary of the user, and displaying the accessible resource list, so that the user inputs an access instruction according to the accessible resource list, and acquiring the access a pre-stored resource or server resource indicated by the instruction;

安全网关, 用于若所述身份验证信息与预存于用户信任列表中 相应的用户信息相匹配, 所述浏览器软件摘要与预存于浏览器信任 列表中相应的浏览器软件摘要信息相匹配, 则生成所述用户的授权 结果, 所述授权结果包括可访问的资源列表。  a security gateway, configured to: if the authentication information matches the corresponding user information pre-stored in the user trust list, the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, Generating an authorization result of the user, the authorization result including a list of accessible resources.

在第一种可能的实现方式中, 根据第三方面,  In a first possible implementation manner, according to the third aspect,

所述安全浏览器, 还用于获取硬件密钥标识;  The secure browser is further configured to obtain a hardware key identifier;

所述安全网关, 还用于若所述硬件密钥标识与预存于硬件密钥 列表中相应的硬件密钥信息相匹配, 则生成所述用户的授权结果。  The security gateway is further configured to generate an authorization result of the user if the hardware key identifier matches the corresponding hardware key information pre-stored in the hardware key list.

在第二种可能的实现方式中, 结合第三方面或第一种可能的实 现方式, 所述授权结果还包括资源使用策略;  In a second possible implementation manner, in combination with the third aspect or the first possible implementation manner, the authorization result further includes a resource usage policy;

其中, 所述安全浏览器, 具体用于按照所述资源使用策略获取 所述访问指令所指示的预先存储的资源或服务器的资源。  The secure browser is specifically configured to acquire, according to the resource usage policy, a pre-stored resource or a resource of the server indicated by the access instruction.

本发明实施例提供的资源安全访问的方法及装置, 通过获取用 户的身份验证信息和浏览器软件摘要, 若身份验证信息与预存于用 户信任列表中相应的用户信息相匹配, 浏览器软件摘要与预存于浏 览器信任列表中相应的浏览器软件摘要信息相匹配, 则生成用户的 授权结果, 其中, 授权结果包括可访问的资源列表, 以及显示可访 问的资源列表, 以使得用户根据可访问的资源列表输入访问指令, 以及获取访问指令所指示的预先存储的资源或服务器的资源。 通过 该方案, 由于对用户的身份验证信息、 浏览器软件摘要和硬件密钥 标识均进行了认证, 只有通过认证的用户才能够访问服务器, 从而 使得用户能够安全地访问服务器的资源, 实现服务器资源的保护。 附图说明 The method and device for securely accessing resources provided by the embodiment of the present invention obtains the user's identity verification information and the browser software summary, and if the identity verification information matches the corresponding user information pre-stored in the user trust list, the browser software abstract and The corresponding browser software summary information pre-stored in the browser trust list matches, and the user's authorization result is generated, wherein the authorization result includes a list of accessible resources, and displays a list of accessible resources, so that the user is accessible according to the Enter the access command in the resource list, And obtaining a pre-stored resource or a resource of the server indicated by the access instruction. With this solution, since the user's authentication information, the browser software digest, and the hardware key identifier are authenticated, only the authenticated user can access the server, thereby enabling the user to securely access the server's resources and implement the server resources. protection of. DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案, 下 面将对实施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明的一些实施例, 对于 本领域普通技术人员来讲, 在不付出创造性劳动的前提下, 还可以 根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.

图 1 为本发明实施例提供的资源安全访问方法流程示意图一; 图 2为本发明实施例提供的资源安全访问方法流程示意图二; 图 3为本发明实施例提供的资源安全访问装置结构示意图一; 图 4为本发明实施例提供的资源安全访问装置结构示意图二; 图 5为本发明实施例提供的资源安全访问装置结构示意图三; 图 6为本发明实施例提供的资源安全访问器结构示意图。  1 is a schematic flowchart 1 of a resource security access method according to an embodiment of the present invention; FIG. 2 is a schematic flowchart 2 of a resource security access method according to an embodiment of the present invention; FIG. 3 is a schematic structural diagram of a resource security access device according to an embodiment of the present invention; 4 is a schematic structural diagram of a resource security access device according to an embodiment of the present invention; FIG. 5 is a schematic structural diagram 3 of a resource security access device according to an embodiment of the present invention; FIG. 6 is a schematic structural diagram of a resource security accessor according to an embodiment of the present invention; .

具体实施方式 detailed description

下面将结合本发明实施例中的附图, 对本发明实施例中的技术 方案进行清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明 一部分实施例, 而不是全部的实施例。 基于本发明中的实施例, 本 领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他 实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

本发明实施例提供一种资源安全访问方法, 如图 1 所示, 该方 法包括:  The embodiment of the invention provides a resource security access method. As shown in FIG. 1, the method includes:

S 101、 资源安全访问装置获取用户的身份验证信息和浏览器软 件摘要。  S101. The resource security access device obtains the user's authentication information and the browser software summary.

现代企业办公方式中, 基于浏览器网页的业务访问已经逐渐成 为企业办公的主要形式。 本发明实施例所提出的资源安全访问的方 法, 当资源安全访问装置被用户启动时, 首先资源安全访问装置会 读取内置的用户的身份验证页面, 用户需要通过该用户的身份验证 页面输入身份验证信息, 按需插入硬件密钥, 若插入硬加密钥, 则 资源安全访问装置自动提取硬件密钥标识, 其中, 本发明实施例的 硬件密钥可以是一种通过 USB ( Universal Serial BUS , 通用 串行总 线) 直接与计算机相连的具有密码验证功能的、 可靠高速的小型储 存设备。 In the modern enterprise office mode, business access based on browser web pages has gradually become the main form of corporate office. The method for secure access of resources according to the embodiment of the present invention, when the resource security access device is activated by the user, the resource security access device first Reading the built-in user's authentication page, the user needs to input the authentication information through the user's authentication page, insert the hardware key as needed, and if the hard key is inserted, the resource security access device automatically extracts the hardware key identifier. The hardware key of the embodiment of the present invention may be a reliable high-speed small-sized storage device with a password verification function directly connected to a computer through a USB (Universal Serial BUS).

需要说明的是, 根据策略的不同, 身份验证信息可以是用户所 设置的账户名、 密码, 也可以是用户的姓名、 工号、 身份证号等个 人信息, 还可以是数字证书、 动态密码等信息, 其中, 数字证书是 指互联网通讯中标志通讯各方身份信息的一系列数据, 提供了一种 在互联网上验证用户身份的方式, 其作用类似于司机的驾驶执照或 日常生活中的身份证, 动态密码是根据专门的算法产生变化的随机 数字组合, 主要产生形式有手机短信、 硬件令牌、 手机令牌, 动态 密码。  It should be noted that, according to different policies, the authentication information may be an account name or a password set by the user, or may be a personal information such as a user's name, a work number, an ID number, or a digital certificate, a dynamic password, or the like. Information, where digital certificate refers to a series of data in the Internet communication that identifies the identity information of the parties to the communication, and provides a way to verify the identity of the user on the Internet, which is similar to the driver's license or the ID card in daily life. Dynamic passwords are random number combinations that are generated according to a special algorithm. The main forms are mobile phone text messages, hardware tokens, mobile phone tokens, and dynamic passwords.

当资源安全访问装置被用户启动时, 资源安全访问装置还会读 取用户所使用的浏览器软件摘要, 浏览器软件摘要为浏览器的标识, 具体可以为一个字符串, 通过该字符串, 资源安全访问装置可以判 断出是否被外部非法操作所改写而产生不安全隐患。  When the resource security access device is activated by the user, the resource security access device also reads the browser software summary used by the user, and the browser software summary is the identifier of the browser, which may be a string, through the string, the resource. The secure access device can determine whether it is overwritten by an external illegal operation to create an unsafe hidden danger.

S 102、 若身份验证信息与预存于用户信任列表中相应的用户信 息相匹配, 浏览器软件摘要与预存于浏览器信任列表中相应的浏览 器软件摘要信息相匹配, 则资源安全访问装置生成用户的授权结果, 授权结果包括可访问的资源列表。  S102. If the identity verification information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, the resource security access device generates the user. The authorization result, the authorization result includes a list of accessible resources.

资源安全访问装置获取到用户的身份验证信息和浏览器软件摘 要后, 分别对其进行校验。 资源安全访问装置将获取到的用户的身 份验证信息和浏览器软件摘要通过基于 S SL ( Secure Sockets Layer , 安全套接层) 协商建立的隧道发送到资源安全访问装置的认证模块 进行认证, 其中, S SL 是为网络通信提供安全及数据完整性的一种 安全协议, 在传输层对网络连接进行加密。  After the resource security access device obtains the user's authentication information and the browser software summary, it checks it separately. The resource security access device authenticates the obtained user authentication information and the browser software summary to the authentication module of the resource security access device through a tunnel established by SSL (Secure Sockets Layer) negotiation, wherein, S SL is a secure protocol that provides security and data integrity for network communications, encrypting network connections at the transport layer.

需要说明的是, 资源安全访问装置获取到的用户的身份验证信 息和浏览器软件摘要并不只局限于通过基于 SSL协议建立的隧道发 送到资源安全访问装置的认证模块进行认证, 也可以基于 TLS ( Transport Layer Security , 安全传输层协议) 等安全协议建立隧道 发送到资源安全访问装置的认证模块进行认证。 It should be noted that the user's authentication letter obtained by the resource security access device The information and browser software summary is not limited to authentication by the authentication module sent to the resource security access device through the tunnel established by the SSL protocol, or may be tunneled based on a security protocol such as TLS (Transport Layer Security). The authentication module of the resource security access device performs authentication.

资源安全访问装置将获取到的用户的身份验证信息和浏览器软 件摘要通过基于 S S L协商建立的隧道发送到资源安全访问装置的认 证模块进行认证, 若身份验证信息与预存于用户信任列表中相应的 用户信息相匹配, 浏览器软件摘要与预存于浏览器信任列表中相应 的浏览器软件摘要信息相匹配, 则表明该用户通过认证, 从而允许 该用户浏览资源。  The resource security access device sends the obtained authentication information of the user and the browser software summary to the authentication module of the resource security access device through the tunnel established by the SSL negotiation, and the authentication information is pre-stored in the user trust list. The user information matches, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, indicating that the user is authenticated, thereby allowing the user to browse resources.

用户通过了身份信息验证后, 资源安全访问装置生成用户的授 权结果, 授权结果包括可访问的资源列表, 以使用户能够通过资源 列表访问资源。  After the user passes the identity information verification, the resource security access device generates the authorization result of the user, and the authorization result includes a list of accessible resources, so that the user can access the resource through the resource list.

S 103、 资源安全访问装置显示可访问的资源列表, 以使得用户 根据可访问的资源列表输入访问指令。  S103. The resource security access device displays the accessible resource list, so that the user inputs the access instruction according to the accessible resource list.

用户通过了身份信息验证后, 资源安全访问装置生成用户的授 权结果, 授权结果包括可访问的资源列表、 资源使用策略, 并通过 资源安全访问装置显示给用户, 以使用户能够通过资源列表输入访 问指令。  After the user passes the identity information verification, the resource security access device generates a user authorization result, and the authorization result includes an accessible resource list and a resource usage policy, and is displayed to the user through the resource security access device, so that the user can input through the resource list. instruction.

需要补充的是, 资源安全访问装置生成用户的授权结果包括可 访问的资源列表, 其中, 资源列表是以一个资源书签页面的形式展 示给用户的, 资源书签是根据资源安全访问装置内置的资源页面模 板所构造的, 书签不仅仅包括网页资源, 还包括应用、 桌面、 虚拟 机等资源, 以供用户清晰便捷地查找到 自身所需要的资源, 进而输 入访问指令。  It should be added that the authorization result generated by the resource security access device includes a list of accessible resources, wherein the resource list is displayed to the user in the form of a resource bookmark page, and the resource bookmark is based on a resource page built in the resource security access device. The template is constructed not only by web resources, but also by applications, desktops, virtual machines, etc., so that users can find their own resources clearly and conveniently, and then input access commands.

S 104、 资源安全访问装置获取访问指令所指示的预先存储的资 源或服务器的资源。  S104. The resource security access device acquires a resource of a pre-stored resource or server indicated by the access instruction.

资源安全访问装置接收到用户所输入的访问指令, 获取访问指 令所指示的预先存储的资源或服务器的资源。 需要补充的是, 访问指令所指示的预先存储的资源或服务器的 资源分别表示不同的资源类型, 资源安全访问装置将资源分成离线 资源和需要用户在线访问的资源。 预先存储的资源是指用户能够离 线访问的资源, 服务器的资源指需要用户在线访问的资源, 其中, 离线资源为资源安全访问装置预先从服务器获取的存储在资源安全 访问装置中的资源。 The resource security access device receives the access instruction input by the user, and acquires a pre-stored resource or a resource of the server indicated by the access instruction. It should be added that the pre-stored resources indicated by the access instruction or the resources of the server respectively represent different resource types, and the resource security access device divides the resources into offline resources and resources that the user needs to access online. The pre-stored resource refers to a resource that the user can access offline. The resource of the server refers to a resource that the user needs to access online. The offline resource is a resource that is stored in the resource security access device and is obtained from the server in advance by the resource security access device.

若获取访问指令所指示的服务器的资源, 即需要用户在线访问 的资源, 服务器将数据基于安全协议的加密隧道进行传输, 将资源 集中展示给用户。  If the resource of the server indicated by the access instruction is obtained, that is, the resource that the user needs to access online, the server transmits the data according to the encrypted tunnel of the security protocol, and the resource is collectively displayed to the user.

本发明实施例所提供的一种资源安全访问的方法, 通过获取用 户的身份验证信息和浏览器软件摘要, 若身份验证信息与预存于用 户信任列表中相应的用户信息相匹配, 浏览器软件摘要与预存于浏 览器信任列表中相应的浏览器软件摘要信息相匹配, 则生成用户的 授权结果, 其中, 授权结果包括可访问的资源列表, 以及显示可访 问的资源列表, 以使得用户根据可访问的资源列表输入访问指令, 以及获取访问指令所指示的预先存储的资源或服务器的资源。 通过 该方案, 由于对用户的身份验证信息、 浏览器软件摘要和硬件密钥 标识均进行了认证, 只有通过认证的用户才能够访问服务器, 从而 使得用户能够安全地访问服务器的资源, 实现服务器资源的保护。  A method for securely accessing resources according to an embodiment of the present invention obtains user identity verification information and browser software summary, and if the identity verification information matches the corresponding user information pre-stored in the user trust list, the browser software abstract Corresponding to the corresponding browser software summary information pre-stored in the browser trust list, the authorization result of the user is generated, wherein the authorization result includes a list of accessible resources, and displays a list of accessible resources, so that the user is accessible according to the The resource list enters an access instruction and obtains a pre-stored resource or server resource indicated by the access instruction. With this solution, since the user's authentication information, the browser software digest, and the hardware key identifier are authenticated, only the authenticated user can access the server, thereby enabling the user to securely access the server's resources and implement the server resources. protection of.

本发明实施例提供一种资源安全访问方法, 如图 2所示, 该方 法包括:  The embodiment of the invention provides a resource security access method. As shown in FIG. 2, the method includes:

S20 资源安全访问装置获取用户的身份验证信息、 浏览器软 件摘要和硬件密钥标识。  The S20 resource security access device obtains the user's authentication information, browser software summary, and hardware key identifier.

现代企业办公方式中, 基于浏览器网页的业务访问已经逐渐成 为企业办公的主要形式, 能够提高企业员工的工作效率, 充分利用 互联网的便利性。 本发明实施例所提出的资源安全访问的方法, 当 资源安全访问装置被用户启动时, 首先资源安全访问装置会读取内 置的用户的身份验证页面, 用户需要通过该用户的身份验证页面输 入身份验证信息, 随后插入硬件密钥, 资源安全访问装置自动提取 硬件密钥标识,其中,本发明实施例的硬件密钥可以是一种通过 USB 直接与计算机相连的具有密码验证功能的, 可靠高速的小型储存设 备。 In the modern enterprise office mode, business access based on browser web pages has gradually become the main form of corporate office, which can improve the work efficiency of enterprise employees and make full use of the convenience of the Internet. In the method for secure access of resources provided by the embodiment of the present invention, when the resource security access device is activated by the user, the resource security access device first reads the identity verification page of the built-in user, and the user needs to input the identity through the identity verification page of the user. Verify the information, then insert the hardware key, the resource security access device automatically extracts The hardware key identifier, wherein the hardware key of the embodiment of the present invention may be a small-sized storage device with a password verification function and a reliable high-speed connection directly connected to the computer through the USB.

需要说明的是, 根据策略的不同, 身份验证信息可以是用户所 设置的账户名、 密码, 也可以是用户的姓名、 工号、 身份证号等个 人信息, 还可以是数字证书、 动态密码等信息, 其中, 数字证书是 指互联网通讯中标志通讯各方身份信息的一系列数据, 提供了一种 在互联网上验证用户身份的方式, 其作用类似于司机的驾驶执照或 日常生活中的身份证, 动态密码是根据专门的算法产生变化的随机 数字组合, 主要产生形式有手机短信、 硬件令牌、 手机令牌, 动态 密码。  It should be noted that, according to different policies, the authentication information may be an account name or a password set by the user, or may be a personal information such as a user's name, a work number, an ID number, or a digital certificate, a dynamic password, or the like. Information, where digital certificate refers to a series of data in the Internet communication that identifies the identity information of the parties to the communication, and provides a way to verify the identity of the user on the Internet, which is similar to the driver's license or the ID card in daily life. Dynamic passwords are random number combinations that are generated according to a special algorithm. The main forms are mobile phone text messages, hardware tokens, mobile phone tokens, and dynamic passwords.

当资源安全访问装置被用户启动时, 资源安全访问装置还会读 取用户所使用的浏览器软件摘要, 浏览器软件摘要为浏览器的标识, 具体可以为一个字符串, 通过该字符串, 资源安全访问装置可以判 断出是否被外部非法操作所改写而产生不安全隐患。  When the resource security access device is activated by the user, the resource security access device also reads the browser software summary used by the user, and the browser software summary is the identifier of the browser, which may be a string, through the string, the resource. The secure access device can determine whether it is overwritten by an external illegal operation to create an unsafe hidden danger.

S202、 若身份验证信息与预存于用户信任列表中相应的用户信 息相匹配, 且浏览器软件摘要与预存于浏览器信任列表中相应的浏 览器软件摘要信息相匹配, 且硬件密钥标识与预存于硬件密钥列表 中相应的硬件密钥信息相匹配, 则资源安全访问装置生成用户的授 权结果, 授权结果包括可访问的资源列表、 资源使用策略。  S202. If the authentication information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, and the hardware key identifier and pre-stored When the corresponding hardware key information in the hardware key list matches, the resource security access device generates an authorization result of the user, and the authorization result includes an accessible resource list and a resource usage policy.

资源安全访问装置获取到用户的身份验证信息、 浏览器软件摘 要和硬件密钥标识后, 分别对其进行校验。 资源安全访问装置将获 取到的用户的身份验证信息、 浏览器软件摘要和硬件密钥标识通过 基于 S S L协商建立的隧道发送到资源安全访问装置的认证模块进行 认证, 其中, S SL 是为网络通信提供安全及数据完整性的一种安全 协议, 在传输层对网络连接进行加密。  After the resource security access device obtains the user's authentication information, the browser software summary, and the hardware key identifier, it is verified separately. The resource security access device authenticates the obtained user's authentication information, the browser software digest, and the hardware key identifier through an authentication module established by the SSL negotiation to the resource security access device, where the S SL is for network communication. A security protocol that provides security and data integrity, encrypting network connections at the transport layer.

需要说明的是, 资源安全访问装置获取到的用户的身份验证信 息、 浏览器软件摘要和硬件密钥标识并不只局限于通过基于 S SL协 议建立的隧道发送到资源安全访问装置的认证模块进行认证, 也可 以基于 T L S等安全协议建立隧道发送到资源安全访问装置的认证模 块进行认证。 It should be noted that the authentication information, the browser software digest, and the hardware key identifier of the user acquired by the resource security access device are not limited to being authenticated by the authentication module sent to the resource security access device through the tunnel established by the S SL protocol. , also may The authentication module that sends the tunnel to the resource security access device is established by using a security protocol such as TLS to perform authentication.

资源安全访问装置将获取到的用户的身份验证信息、 浏览器软 件摘要和硬件密钥标识通过基于 S SL协商建立的隧道发送到资源安 全访问装置的认证模块进行认证, 若身份验证信息与预存于用户信 任列表中相应的用户信息相匹配, 且浏览器软件摘要与预存于浏览 器信任列表中相应的浏览器软件摘要信息相匹配, 且硬件密钥标识 与预存于硬件密钥列表中相应的硬件密钥信息相匹配, 则表明该用 户通过认证, 从而允许该用户浏览资源。  The resource security access device sends the obtained user's authentication information, the browser software digest, and the hardware key identifier to the authentication module of the resource security access device through the tunnel established by the S SL negotiation, and the authentication information is pre-stored. The corresponding user information in the user trust list matches, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, and the hardware key identifier and the corresponding hardware pre-stored in the hardware key list If the key information matches, it indicates that the user is authenticated, thereby allowing the user to browse resources.

用户通过了身份信息验证后, 资源安全访问装置生成用户的授 权结果, 授权结果包括可访问的资源列表、 资源使用策略, 以使用 户能够通过资源列表访问资源。  After the user passes the identity information verification, the resource security access device generates the authorization result of the user, and the authorization result includes an accessible resource list and a resource usage policy, so that the user can access the resource through the resource list.

需要补充的是, 访问指令所指示的预先存储的资源或服务器的 资源分别表示不同的资源类型, 资源安全访问装置将资源分成离线 资源和需要用户在线访问的资源。 预先存储的资源是指用户能够离 线访问的资源, 服务器的资源指需要用户在线访问的资源, 其中, 离线资源为资源安全访问装置预先从服务器获取的存储在资源安全 访问装置中的资源。  It should be added that the pre-stored resources indicated by the access instruction or the resources of the server respectively represent different resource types, and the resource security access device divides the resources into offline resources and resources that the user needs to access online. The pre-stored resource refers to a resource that the user can access offline, and the resource of the server refers to a resource that the user needs to access online. The offline resource is a resource that is stored in the resource security access device and is obtained from the server in advance by the resource security access device.

示例性的, 资源安全访问装置按照策略将所有文件的安全等级 划分为 10级, 用户 A为某公司仍处于实习期的员工, 用户权限信息 指示不允许该用户上传和下载资源, 用户 B为某公司的普通员工, 用户权限信息指示允许该用户上传和下载资源, 资源安全访问等级 信息为 3 级, 即指示允许用户下载的资源的等级为 3 , 说明该用户 可下载的资源等级为 1 级、 2级和 3 级, 用户 C为某公司的管理人 员 , 用户权限信息指示允许该用户上传和下载资源, 资源安全访问 等级信息为 10 级, 即指示允许用户下载的资源的等级为 10 , 说明 该用户可以下载的所有的资源。  Exemplarily, the resource security access device divides the security level of all files into 10 levels according to a policy. User A is an employee whose company is still in the internship period, and the user rights information indicates that the user is not allowed to upload and download resources, and user B is a certain The general employee of the company, the user permission information indicates that the user is allowed to upload and download resources, and the resource security access level information is level 3, that is, the level of the resource that the user is allowed to download is 3, indicating that the user can download the resource level to level 1, Level 2 and Level 3, User C is the administrator of a company. The user rights information indicates that the user is allowed to upload and download resources. The resource security access level information is level 10, that is, the level of the resource that the user is allowed to download is 10, indicating that All resources that users can download.

S203、 资源安全访问装置显示可访问的资源列表, 以使得用户 根据可访问的资源列表输入访问指令。 用户通过了身份信息验证后, 资源安全访问装置生成用户的授 权结果, 授权结果包括可访问的资源列表、 资源使用策略, 并通过 资源安全访问装置显示给用户, 以使用户能够通过资源列表输入访 问指令。 S203. The resource security access device displays the accessible resource list, so that the user inputs the access instruction according to the accessible resource list. After the user passes the identity information verification, the resource security access device generates a user authorization result, and the authorization result includes an accessible resource list and a resource usage policy, and is displayed to the user through the resource security access device, so that the user can input through the resource list. instruction.

需要补充的是, 资源安全访问装置生成用户的授权结果包括可 访问的资源列表和资源使用策略, 其中, 资源列表是以一个资源书 签页面的形式展示给用户的, 资源书签是根据资源安全访问装置内 置的资源页面模板所构造的, 书签不仅仅包括网页资源, 还包括应 用、 桌面、 虚拟机等资源, 以供用户清晰便捷地查找到 自身所需要 的资源, 进而输入访问指令。  It should be added that the authorization result generated by the resource security access device includes the accessible resource list and the resource usage policy, wherein the resource list is displayed to the user in the form of a resource bookmark page, and the resource bookmark is based on the resource security access device. Built-in resource page templates are constructed. The bookmarks not only include web resources, but also applications, desktops, virtual machines and other resources, so that users can find their own resources clearly and conveniently, and then input access commands.

S 204、 资源安全访问装置按照资源使用策略获取访问指令所指 示的预先存储的资源或服务器的资源。  S204. The resource security access device acquires a pre-stored resource or a resource of the server indicated by the access instruction according to the resource usage policy.

资源安全访问装置接收到用户所输入的访问指令, 按照资源使 用策略获取访问指令所指示的预先存储的资源或服务器的资源。  The resource security access device receives the access instruction input by the user, and acquires the pre-stored resource or the resource of the server indicated by the access instruction according to the resource usage policy.

需要补充的是, 访问指令所指示的预先存储的资源或服务器的 资源分别指代了不同的资源类型, 资源安全访问装置将资源分成能 够离线访问的资源和需要用户在线访问的资源。 预先存储的资源指 用户能够离线访问的资源, 服务器的资源指需要用户在线访问的资 源, 其中用户能够离线访问的资源是在用户使用浏览器之前就已经 预制在浏览器内的。  It should be added that the pre-stored resources indicated by the access instruction or the resources of the server respectively refer to different resource types, and the resource security access device divides the resources into resources that can be accessed offline and resources that need to be accessed by users online. The pre-stored resource refers to the resource that the user can access offline. The resource of the server refers to the resource that the user needs to access online. The resource that the user can access offline is pre-made in the browser before the user uses the browser.

若获取访问指令所指示的服务器的资源, 即需要用户在线访问 的资源, 服务器将数据基于安全协议的加密隧道进行传输, 资源按 照资源使用策略调用本地接口集中展示给用户。  If the resource of the server indicated by the access instruction is obtained, that is, the resource that the user needs to access online, the server transmits the data according to the encrypted tunnel of the security protocol, and the resource is displayed to the user according to the resource usage policy.

S205、 资源安全访问装置存储从服务器获取到的资源。  S205. The resource security access device stores the resource acquired from the server.

S 206、 资源安全访问装置对获取到的服务器的资源进行加密。 下面, 结合步骤 S205 和 S206 , 对资源安全访问装置如何从服 务器上获取资源, 并对这些资源进行加密的步骤进行说明。  S206. The resource security access device encrypts the resources of the obtained server. Next, in conjunction with steps S205 and S206, the steps of how the resource security access device obtains resources from the server and encrypts the resources are described.

访问指令所指示的预先存储的资源或服务器的资源分别指代了 不同的资源类型, 资源安全访问装置将资源分成能够离线访问的资 源和需要用户在线访问的资源。 预先存储的资源指用户能够离线访 问的资源, 服务器的资源指需要用户在线访问的资源。 The pre-stored resources indicated by the access instruction or the resources of the server respectively refer to different resource types, and the resource security access device divides the resources into offline-accessible resources. Source and resources that require user access online. Pre-stored resources refer to resources that users can access offline. Server resources refer to resources that users need to access online.

当用户 离线访问时, 离线资源是在用户使用浏览器之前就已经 储存在浏览器内, 并通过资源安全访问装置对离线资源进行加密, 以防数据被外部的非法软件查看。  When the user accesses the offline, the offline resource is stored in the browser before the user uses the browser, and the offline resource is encrypted by the resource security access device to prevent the data from being viewed by the illegal software outside.

当用户在线访问时, 服务器将数据基于安全协议的加密隧道进 行传输,数据緩存进行加密后在 HTTP( Hypertext Transport Protocol , 超文本传送协议) 响应头上附加加密标记和临时索引密钥, 响应信 息经过资源安全访问装置解析后, 根据加密标记和临时密钥索引, 向资源安全访问装置的安全网关请求获取一次性会话密钥, 加密文 档经过密钥解密后展示给用户。  When the user accesses the network, the server transmits the data based on the encrypted tunnel of the security protocol. After the data cache is encrypted, an encryption token and a temporary index key are attached to the HTTP (Hypertext Transport Protocol) response header, and the response information is passed. After the resource security access device parses, according to the encryption mark and the temporary key index, the security gateway of the resource security access device is requested to obtain a one-time session key, and the encrypted document is decrypted by the key and displayed to the user.

需要补充的是, 资源安全访问装置存储从服务器获取到的资源 除了緩存和离线资源, 还包括用户的行为策略, 其中, 用户的行为 策略是指记录用户访问行为, 下载过的文件, 开打过的文件等。  It should be added that the resource security access device stores the resources acquired from the server in addition to the cache and offline resources, and also includes the user's behavior policy, wherein the user's behavior policy refers to recording the user access behavior, the downloaded file, and the opened file. Documents, etc.

5207、 若在预设周期后接收到用户输入的访问指令, 则资源安 全访问装置不获取访问指令所指示的服务器的资源。  5207. If an access instruction input by the user is received after the preset period, the resource security access device does not acquire the resource of the server indicated by the access instruction.

若在预设周期后接收到用户输入的访问指令, 则说明用户的访 问超时, 这时资源安全访问装置会自动终止用户的访问操作, 不获 取访问指令所指示的服务器的资源。  If the access instruction input by the user is received after the preset period, the access time of the user is timed out, and the resource security access device automatically terminates the access operation of the user, and does not obtain the resources of the server indicated by the access instruction.

5208、 若接收到用户输入的注销或退出指令, 则资源安全访问 装置删除存储的从服务器获取到的资源以及删除用户下载的资源。  5208. If receiving the logout or exit instruction input by the user, the resource security access device deletes the stored resource acquired from the server and deletes the resource downloaded by the user.

若接收到用户输入的注销或退出指令, 资源安全访问装置会触 发注销隧道行为, 则资源安全访问装置删除存储的从服务器获取到 的资源以及删除用户下载的资源, 保证了数据的安全性。  If the log-out or exit command is received by the user, the resource security access device triggers the log-out behavior, and the resource security access device deletes the stored resources acquired from the server and deletes the resources downloaded by the user, thereby ensuring data security.

本发明实施例所提供的一种资源安全访问的方法, 通过获取用 户的身份验证信息、 浏览器软件摘要和硬件密钥标识, 若身份验证 信息与预存于用户信任列表中相应的用户信息相匹配, 浏览器软件 摘要与预存于浏览器信任列表中相应的浏览器软件摘要信息相匹 配, 硬件密钥标识与预存于硬件密钥列表中相应的硬件密钥信息相 匹配, 则生成用户的授权结果, 其中, 授权结果包括可访问的资源 列表、 资源使用策略, 以及显示可访问的资源列表, 以使得用户根 据可访问的资源列表输入访问指令, 以及按照资源使用策略获取访 问指令所指示的预先存储的资源或服务器的资源。 通过该方案, 由 于对用户的身份验证信息、 浏览器软件摘要和硬件密钥标识均进行 了认证, 只有通过认证的用户才能够访问服务器, 从而使得用户能 够安全地访问服务器的资源, 实现服务器资源的保护。 A method for securely accessing resources according to an embodiment of the present invention obtains user identity verification information, browser software summary, and hardware key identifier, and if the identity verification information matches the corresponding user information pre-stored in the user trust list. The browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, and the hardware key identifier is associated with the corresponding hardware key information pre-stored in the hardware key list. If the matching is performed, the authorization result of the user is generated, where the authorization result includes an accessible resource list, a resource usage policy, and a list of accessible resources, so that the user inputs the access instruction according to the accessible resource list, and according to the resource usage policy. Obtain the pre-stored resource or resource of the server indicated by the access instruction. With this solution, since the user's authentication information, the browser software digest, and the hardware key identifier are authenticated, only the authenticated user can access the server, thereby enabling the user to securely access the server's resources and implement the server resources. protection of.

本发明实施例提供一种资源安全访问装置 1 , 对应上述方案实 施例, 资源安全访问装置 1 的各个功能单元均可以用于上述方法步 骤, 如图 3所示, 包括:  The embodiment of the present invention provides a resource security access device 1 . The functional unit of the resource security access device 1 can be used in the foregoing method steps. As shown in FIG. 3 , the method includes:

本地服务模块 10 , 用于获取用户的身份验证信息和浏览器软件 摘要, 以及显示可访问的资源列表, 以使得用户根据可访问的资源 列表输入访问指令。  The local service module 10 is configured to obtain the user's authentication information and the browser software summary, and display the accessible resource list, so that the user inputs the access instruction according to the accessible resource list.

进一步地, 本地服务模块 10 , 还用于获取硬件密钥标识。  Further, the local service module 10 is further configured to obtain a hardware key identifier.

现代企业办公方式中, 基于浏览器网页的业务访问已经逐渐成 为企业办公的主要形式, 能够提高企业员工的工作效率, 充分利用 互联网的便利性。 本发明实施例所提出的资源安全访问的方法, 当 资源安全访问装置 1被用户启动时, 首先本地服务模块 10会读取内 置的用户的身份验证页面, 用户需要通过该用户的身份验证页面输 入身份验证信息, 随后按照用户需求插入硬件密钥, 若插入硬加密 钥, 则资源安全访问装置 1 自动提取硬件密钥标识, 其中, 本发明 实施例的硬件密钥可以是一种通过 USB直接与计算机相连的具有密 码验证功能的, 可靠高速的小型储存设备。  In the modern enterprise office mode, business access based on browser web pages has gradually become the main form of enterprise office, which can improve the work efficiency of enterprise employees and make full use of the convenience of the Internet. When the resource security access device 1 is started by the user, the local service module 10 reads the identity verification page of the built-in user, and the user needs to input through the user's identity verification page. The authentication information is then inserted into the hardware key according to the user's requirement. If the hard key is inserted, the resource security access device 1 automatically extracts the hardware key identifier. The hardware key of the embodiment of the present invention may be directly through the USB. A reliable, high-speed, small-sized storage device with password authentication that is connected to a computer.

需要说明的是, 根据策略的不同, 身份验证信息可以是用户所 设置的账户名、 密码, 也可以是用户的姓名、 工号、 身份证号等个 人信息, 还可以是数字证书、 动态密码等信息, 其中, 数字证书是 指互联网通讯中标志通讯各方身份信息的一系列数据, 提供了一种 在互联网上验证用户身份的方式, 其作用类似于司机的驾驶执照或 日常生活中的身份证, 动态密码是根据专门的算法产生变化的随机 数字组合, 主要产生形式有手机短信、 硬件令牌、 手机令牌, 动态 密码。 It should be noted that, according to different policies, the authentication information may be an account name or a password set by the user, or may be a personal information such as a user's name, a work number, an ID number, or a digital certificate, a dynamic password, or the like. Information, where digital certificate refers to a series of data in the Internet communication that identifies the identity information of the parties to the communication, and provides a way to verify the identity of the user on the Internet, which is similar to the driver's license or the ID card in daily life. Dynamic passwords are randomly generated according to specialized algorithms. The digital combination mainly produces mobile phone text messages, hardware tokens, mobile phone tokens, and dynamic passwords.

当资源安全访问装置 1被用户启动时,本地服务模块 10还会读 取用户所使用的浏览器软件摘要, 浏览器软件摘要为浏览器的标识, 具体可以为一个字符串, 通过该字符串, 资源安全访问装置 1 可以 判断出是否被外部非法操作所改写而产生不安全隐患。  When the resource security access device 1 is started by the user, the local service module 10 also reads the browser software summary used by the user, and the browser software summary is the identifier of the browser, which may be a string, through the string. The resource security access device 1 can determine whether it is overwritten by an external illegal operation to generate an unsafe hidden danger.

用户通过了身份信息验证后, 资源安全访问装置 1 生成用户的 授权结果, 授权结果包括可访问的资源列表, 并通过资源安全访问 装置 1显示给用户, 以使用户能够通过资源列表输入访问指令。  After the user passes the identity information verification, the resource security access device 1 generates a user authorization result, and the authorization result includes a list of accessible resources, and is displayed to the user through the resource security access device 1 to enable the user to input the access command through the resource list.

进一步地, 资源安全访问装置 1 生成用户的授权结果包括可访 问的资源列表和资源使用策略, 其中, 资源列表是以一个资源书签 页面的形式展示给用户的, 资源书签是根据资源安全访问装置 1 内 置的资源页面模板所构造的, 书签不仅仅包括网页资源, 还包括应 用、 桌面、 虚拟机等资源, 以供用户清晰便捷地查找到 自身所需要 的资源, 进而输入访问指令。  Further, the resource security access device 1 generates a user authorization result including an accessible resource list and a resource usage policy, wherein the resource list is displayed to the user in the form of a resource bookmark page, and the resource bookmark is according to the resource security access device 1 Built-in resource page templates are constructed. The bookmarks not only include web resources, but also applications, desktops, virtual machines and other resources, so that users can find their own resources clearly and conveniently, and then input access commands.

认证模块 1 1 , 用于若身份验证信息与预存于用户信任列表中相 应的用户信息相匹配, 浏览器软件摘要与预存于浏览器信任列表中 相应的浏览器软件摘要信息相匹配, 则生成用户的授权结果, 授权 结果包括可访问的资源列表。  The authentication module 1 1 is configured to: if the authentication information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, the user is generated. The authorization result, the authorization result includes a list of accessible resources.

进一步地, 认证模块 1 1 , 还用于若所述硬件密钥标识与预存于 硬件密钥列表中相应的硬件密钥信息相匹配, 则生成所述用户的授 权结果。  Further, the authentication module 1 1 is further configured to generate an authorization result of the user if the hardware key identifier matches the corresponding hardware key information pre-stored in the hardware key list.

进一步地, 所述授权结果还包括资源使用策略。  Further, the authorization result further includes a resource usage policy.

资源安全访问装置 1 获取到用户的身份验证信息、 浏览器软件 摘要和硬件密钥标识后, 分别对其进行校验。 资源安全访问装置 1 将获取到的用户的身份验证信息、 浏览器软件摘要和硬件密钥标识 通过基于 S SL协商建立的隧道发送到资源安全访问装置 1 的认证模 块 1 1进行认证, 其中, S SL是为网络通信提供安全及数据完整性的 一种安全协议, 在传输层对网络连接进行加密。 需要说明的是, 资源安全访问装置 1 获取到的用户的身份验证 信息、 浏览器软件摘要和硬件密钥标识并不只局限于通过基于 S SL 协议建立的隧道发送到资源安全访问装置 1 的认证模块 1 1 进行认 证, 也可以基于 TLS等安全协议建立隧道发送到资源安全访问装置 1 的认证模块 1 1进行认证。 After the resource security access device 1 obtains the user's authentication information, the browser software digest, and the hardware key identifier, it is verified separately. The resource security access device 1 authenticates the obtained user's authentication information, the browser software digest, and the hardware key identifier to the authentication module 1 1 of the resource security access device 1 through the tunnel established based on the S SL negotiation, where, S SL is a security protocol that provides security and data integrity for network communications, encrypting network connections at the transport layer. It should be noted that the authentication information, the browser software digest, and the hardware key identifier of the user acquired by the resource security access device 1 are not limited to the authentication module sent to the resource security access device 1 through the tunnel established based on the S SL protocol. 1 1 For authentication, the tunnel may be sent to the authentication module 11 of the resource security access device 1 for authentication based on a security protocol such as TLS.

资源安全访问装置 1 将获取到的用户的身份验证信息、 浏览器 软件摘要和硬件密钥标识通过基于 S S L协商建立的隧道发送到资源 安全访问装置 1 的认证模块 1 1进行认证, 若身份验证信息与预存于 用户信任列表中相应的用户信息相匹配, 且浏览器软件摘要与预存 于浏览器信任列表中相应的浏览器软件摘要信息相匹配, 且硬件密 钥标识与预存于硬件密钥列表中相应的硬件密钥信息相匹配, 则说 明用户通过了认证, 从而能够继续浏览资源。  The resource security access device 1 sends the obtained user's authentication information, the browser software digest, and the hardware key identifier to the authentication module 1 1 of the resource security access device 1 through the tunnel established based on the SSL negotiation for authentication, if the identity verification information Matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, and the hardware key identifier is pre-stored in the hardware key list. If the corresponding hardware key information matches, the user has passed the authentication, so that the resource can continue to be browsed.

用户通过了身份信息验证后, 资源安全访问装置 1 生成用户的 授权结果, 授权结果包括可访问的资源列表、 资源使用策略, 以使 用户能够通过资源列表访问资源。  After the user passes the identity information verification, the resource security access device 1 generates a user authorization result, and the authorization result includes an accessible resource list and a resource usage policy, so that the user can access the resource through the resource list.

需要补充的是, 用户通过了身份信息验证后, 资源安全访问装 置 1 生成用户的授权结果, 授权结果除了包括可访问的资源列表、 资源使用策略, 以使用户能够通过资源列表访问资源, 还包括用户 权限信息和资源安全访问等级信息, 其中, 用户权限信息指示是否 允许用户上传或下载资源, 资源安全访问等级信息指示允许用户下 载的资源的等级。  It should be added that after the user passes the identity information verification, the resource security access device 1 generates the authorization result of the user, and the authorization result includes the accessible resource list and the resource usage policy, so that the user can access the resource through the resource list, and includes User rights information and resource security access level information, wherein the user rights information indicates whether the user is allowed to upload or download resources, and the resource security access level information indicates the level of resources that the user is allowed to download.

示例性的, 资源安全访问装置 1按照策略将所有文件的安全等 级划分为 10级, 用户 A为某公司仍处于实习期的员工, 用户权限信 息指示不允许该用户上传和下载资源,用户 B为某公司的普通员工, 用户权限信息指示允许该用户上传和下载资源, 资源安全访问等级 信息为 3 级, 即指示允许用户下载的资源的等级为 3 , 说明该用户 可下载的资源等级为 1 级、 2级和 3 级, 用户 C为某公司的管理人 员, 用户权限信息指示允许该用户上传和下载资源, 资源安全访问 等级信息为 10 级, 即指示允许用户下载的资源的等级为 10 , 说明 该用户可以下载的所有的资源。 Exemplarily, the resource security access device 1 divides the security level of all files into 10 levels according to a policy. User A is an employee whose company is still in the internship period, and the user rights information indicates that the user is not allowed to upload and download resources, and user B is A common employee of a company, the user rights information indicates that the user is allowed to upload and download resources, and the resource security access level information is level 3, that is, the level of the resource that the user is allowed to download is 3, indicating that the user can download the resource level to level 1. Level 2 and Level 3, User C is the administrator of a company. The user rights information indicates that the user is allowed to upload and download resources. The resource security access level information is level 10, that is, the level of resources that the user is allowed to download is 10, All resources that the user can download.

安全通信模块 12 , 用于按照资源使用策略获取访问指令所指示 的预先存储的资源或服务器的资源。  The secure communication module 12 is configured to obtain a pre-stored resource or a resource of the server indicated by the access instruction according to the resource usage policy.

进一步地, 安全通信模块 12 , 具体用于按照所述资源使用策略 获取所述访问指令所指示的预先存储的资源或服务器的资源。  Further, the secure communication module 12 is specifically configured to acquire, according to the resource usage policy, a pre-stored resource or a resource of the server indicated by the access instruction.

资源安全访问装置 1接收到用户所输入的访问指令, 按照资源 使用策略获取访问指令所指示的预先存储的资源或服务器的资源。  The resource security access device 1 receives the access command input by the user, and acquires a pre-stored resource or a resource of the server indicated by the access command according to the resource usage policy.

需要补充的是, 访问指令所指示的预先存储的资源或服务器的 资源分别指代了不同的资源类型, 资源安全访问装置 1 将资源分成 能够离线访问的资源和需要用户在线访问的资源。 预先存储的资源 指用户能够离线访问的资源, 服务器的资源指需要用户在线访问的 资源, 其中用户能够离线访问的资源是在用户使用浏览器之前就已 经预制在浏览器内的。  It should be added that the pre-stored resources indicated by the access instruction or the resources of the server respectively refer to different resource types, and the resource security access device 1 divides the resources into resources that can be accessed offline and resources that need to be accessed by users online. Pre-stored resources refer to resources that users can access offline. Server resources refer to resources that users need to access online. Resources that users can access offline are pre-made in the browser before users use the browser.

若获取访问指令所指示的服务器的资源, 即需要用户在线访问 的资源, 服务器将数据基于安全协议的加密隧道进行传输, 资源按 照资源使用策略调用本地接口集中展示给用户。  If the resource of the server indicated by the access instruction is obtained, that is, the resource that the user needs to access online, the server transmits the data according to the encrypted tunnel of the security protocol, and the resource is displayed to the user according to the resource usage policy.

进一步地, 安全通信模块 12 , 还用于若在预设周期后接收到用 户输入的访问指令, 则不获取访问指令所指示的服务器的资源。  Further, the secure communication module 12 is further configured to not acquire the resource of the server indicated by the access instruction if the access instruction input by the user is received after the preset period.

若在预设周期后接收到用户输入的访问指令, 则说明用户的访 问超时, 这时资源安全访问装置 1 会自动终止用户的访问操作, 不 获取访问指令所指示的服务器的资源。  If the access instruction input by the user is received after the preset period, the access time of the user is timed out, and the resource security access device 1 automatically terminates the access operation of the user, and does not acquire the resource of the server indicated by the access instruction.

进一步地, 如图 4所示, 资源安全访问装置 1还包括: 存储模块 13 , 存储从服务器获取到的资源。  Further, as shown in FIG. 4, the resource security access device 1 further includes: a storage module 13 that stores resources acquired from the server.

进一步地, 如图 5所示, 资源安全访问装置 1还包括: 加密模块 14 , 用于对获取到的服务器的资源进行加密。  Further, as shown in FIG. 5, the resource security access device 1 further includes: an encryption module 14 configured to encrypt the resources of the obtained server.

访问指令所指示的预先存储的资源或服务器的资源分别指代了 不同的资源类型, 资源安全访问装置 1 将资源分成能够离线访问的 资源和需要用户在线访问的资源。 预先存储的资源指用户能够离线 访问的资源, 服务器的资源指需要用户在线访问的资源。 当用户 离线访问时, 离线资源是在用户使用浏览器之前就已经 储存在浏览器内, 并通过资源安全访问装置 1对离线资源进行加密, 以防数据被外部的非法软件查看。 The pre-stored resources indicated by the access instruction or the resources of the server respectively refer to different resource types, and the resource security access device 1 divides the resources into resources that can be accessed offline and resources that need to be accessed by the user online. Pre-stored resources refer to resources that users can access offline. Server resources refer to resources that users need to access online. When the user accesses the offline, the offline resource is stored in the browser before the user uses the browser, and the offline resource is encrypted by the resource security access device 1 to prevent the data from being viewed by the illegal software outside.

当用户在线访问时, 服务器将数据基于安全协议的加密隧道进 行传输, 数据緩存进行加密后在 HTTP 响应头上附加加密标记和临 时索引密钥, 响应信息经过资源安全访问装置 1 解析后, 根据加密 标记和临时密钥索引, 向资源安全访问装置 1 的安全网关请求获取 一次性会话密钥, 加密文档经过密钥解密后展示给用户。  When the user accesses the network, the server transmits the data based on the encrypted tunnel of the security protocol. After the data cache is encrypted, the encryption token and the temporary index key are attached to the HTTP response header. After the response information is parsed by the resource security access device 1, the encryption is performed according to the encryption. The tag and the temporary key index request the security gateway of the resource security access device 1 to acquire the one-time session key, and the encrypted document is decrypted by the key and presented to the user.

需要补充的是, 资源安全访问装置 1 存储从服务器获取到的资 源除了緩存和离线资源, 还包括用户的行为策略, 其中, 用户的行 为策略是指记录用户访问行为, 下载过的文件, 开打过的文件等。  It should be added that the resource security access device 1 stores the resources acquired from the server in addition to the cache and offline resources, and also includes the user's behavior policy, wherein the user's behavior policy refers to recording user access behavior, downloaded files, and playing. Documents and so on.

进一步地, 存储模块 13 , 还用于若接收到用户输入的注销或退 出指令, 则删除存储的从服务器获取到的资源以及删除用户下载的 资源。  Further, the storage module 13 is further configured to delete the stored resource acquired from the server and delete the resource downloaded by the user if receiving the logout or exit instruction input by the user.

若接收到用户输入的注销或退出指令, 资源安全访问装置 1 会 触发注销隧道行为, 则资源安全访问装置 1 删除存储的从服务器获 取到的资源以及删除用户下载的资源, 保证了数据的安全性。  If the log-out or exit command is received by the user, the resource security access device 1 triggers the log-out behavior, and the resource security access device 1 deletes the stored resources acquired from the server and deletes the resources downloaded by the user, thereby ensuring data security. .

本发明实施例所提供的一种资源安全访问的装置 1 , 通过获取 用户的身份验证信息和浏览器软件摘要, 若身份验证信息与预存于 用户信任列表中相应的用户信息相匹配, 浏览器软件摘要与预存于 浏览器信任列表中相应的浏览器软件摘要信息相匹配, 则生成用户 的授权结果, 其中, 授权结果包括可访问的资源列表, 以及显示可 访问的资源列表, 以使得用户根据可访问的资源列表输入访问指令, 以及获取访问指令所指示的预先存储的资源或服务器的资源。 通过 该方案, 由于对用户的身份验证信息、 浏览器软件摘要和硬件密钥 标识均进行了认证, 只有通过认证的用户才能够访问服务器, 从而 使得用户能够安全地访问服务器的资源, 实现服务器资源的保护。  The device 1 for secure access of resources provided by the embodiment of the present invention obtains the user's identity verification information and the browser software summary, and if the identity verification information matches the corresponding user information pre-stored in the user trust list, the browser software The summary matches the corresponding browser software summary information pre-stored in the browser trust list, and generates a user authorization result, where the authorization result includes a list of accessible resources, and displays a list of accessible resources, so that the user can The accessed resource list enters an access instruction and obtains a pre-stored resource or server resource indicated by the access instruction. With this solution, since the user's authentication information, the browser software digest, and the hardware key identifier are authenticated, only the authenticated user can access the server, thereby enabling the user to securely access the server's resources and implement the server resources. protection of.

本发明实施例提供一种资源安全访问器 2 , 对应上述方案实施 例, 资源安全访问器 2 的各个功能单元均可以用于上述方法步骤。 如图 6所示, 包括: The embodiment of the present invention provides a resource security accessor 2, which corresponds to the foregoing solution embodiment, and each functional unit of the resource security accessor 2 can be used in the foregoing method steps. As shown in Figure 6, it includes:

安全浏览器 20 , 用于获取用户的身份验证信息和浏览器软件摘 要, 以及显示可访问的资源列表, 以使得用户根据可访问的资源列 表输入访问指令, 以及获取访问指令所指示的预先存储的资源或服 务器的资源。  The secure browser 20 is configured to obtain the user's authentication information and the browser software summary, and display the accessible resource list, so that the user inputs the access instruction according to the accessible resource list, and obtains the pre-stored indication indicated by the access instruction. Resource or server resource.

进一步地, 所述安全浏览器, 还用于获取硬件密钥标识。  Further, the secure browser is further configured to obtain a hardware key identifier.

现代企业办公方式中, 基于浏览器网页的业务访问已经逐渐成 为企业办公的主要形式, 能够提高企业员工的工作效率, 充分利用 互联网的便利性。 本发明实施例所提出的资源安全访问的方法, 当 资源安全访问器 2被用户启动时, 首先读取资源安全访问器 2 内置 的用户的身份验证页面, 用户需要输入身份验证信息, 随后插入硬 件密钥, 资源安全访问器 2 自动提取硬件密钥标识, 其中, 硬件密 钥是指一种通过 USB直接与计算机相连的具有密码验证功能的, 可 靠高速的小型储存设备。  In the modern enterprise office mode, business access based on browser web pages has gradually become the main form of enterprise office, which can improve the work efficiency of enterprise employees and make full use of the convenience of the Internet. The method for secure access of resources according to the embodiment of the present invention, when the resource security accessor 2 is started by the user, first reads the identity verification page of the user built in the resource security accessor 2, the user needs to input the authentication information, and then inserts the hardware. The key, the resource security accessor 2 automatically extracts the hardware key identifier, wherein the hardware key refers to a reliable high-speed small storage device with a password verification function directly connected to the computer through the USB.

需要说明的是, 根据策略的不同, 身份验证信息可以是用户所 设置的账户名、 密码, 也可以是用户的姓名、 工号、 身份证号等个 人信息, 还可以是数字证书、 动态密码等信息, 其中, 数字证书是 指互联网通讯中标志通讯各方身份信息的一系列数据, 提供了一种 在互联网上验证用户身份的方式, 其作用类似于司机的驾驶执照或 日常生活中的身份证, 动态密码是根据专门的算法产生变化的随机 数字组合, 主要产生形式有手机短信、 硬件令牌、 手机令牌, 动态 密码。  It should be noted that, according to different policies, the authentication information may be an account name or a password set by the user, or may be a personal information such as a user's name, a work number, an ID number, or a digital certificate, a dynamic password, or the like. Information, where digital certificate refers to a series of data in the Internet communication that identifies the identity information of the parties to the communication, and provides a way to verify the identity of the user on the Internet, which is similar to the driver's license or the ID card in daily life. Dynamic passwords are random number combinations that are generated according to a special algorithm. The main forms are mobile phone text messages, hardware tokens, mobile phone tokens, and dynamic passwords.

当资源安全访问器 2被用户启动时, 资源安全访问器 2还会读 取自带浏览器软件摘要, 我们可以把浏览器软件摘要看做浏览器自 身所特有的一个字符串, 通过这串字符串, 我们可以知道该资源安 全访问器 2是否被外部非法操作所改写而产生不安全隐患。  When the resource security accessor 2 is started by the user, the resource security accessor 2 also reads the browser software summary, and we can treat the browser software summary as a string unique to the browser itself, through the string of characters. String, we can know whether the resource security accessor 2 is overwritten by external illegal operation and creates an insecure risk.

用户通过了身份信息验证后, 资源安全访问器 2生成用户的授 权结果, 授权结果包括可访问的资源列表、 资源使用策略, 并通过 资源安全访问器 2 显示给用户, 以使用户能够通过资源列表输入访 问指令。 After the user passes the identity information verification, the resource security accessor 2 generates the authorization result of the user, and the authorization result includes the accessible resource list and the resource usage policy, and is displayed to the user through the resource security accessor 2, so that the user can pass the resource list. Input visit Ask for instructions.

需要补充的是, 资源安全访问器 2生成用户的授权结果包括可 访问的资源列表和资源使用策略, 其中, 资源列表是以一个资源书 签页面的形式展示给用户的, 资源书签是根据资源安全访问器 2 内 置的资源页面模板所构造的, 书签不仅仅包括网页资源, 还包括应 用、 桌面、 虚拟机等资源, 以供用户清晰便捷地查找到 自身所需要 的资源, 进而输入访问指令。  It should be added that the resource security accessor 2 generates the user's authorization result including the accessible resource list and the resource usage policy, wherein the resource list is presented to the user in the form of a resource bookmark page, and the resource bookmark is based on the resource security access. The built-in resource page template of the device 2 not only includes the webpage resources, but also includes resources such as an application, a desktop, a virtual machine, etc., so that the user can find the resources required by the user clearly and conveniently, and then input the access instruction.

资源安全访问器 2接收到用户所输入的访问指令, 按照资源使 用策略获取访问指令所指示的预先存储的资源或服务器的资源。  The resource security accessor 2 receives the access instruction input by the user, and acquires the pre-stored resource or the resource of the server indicated by the access instruction according to the resource usage policy.

需要补充的是, 访问指令所指示的预先存储的资源或服务器的 资源分别指代了不同的资源类型, 资源安全访问器 2 将资源分成能 够离线访问的资源和需要用户在线访问的资源。 预先存储的资源指 用户能够离线访问的资源, 服务器的资源指需要用户在线访问的资 源, 其中用户能够离线访问的资源是在用户使用浏览器之前就已经 预制在浏览器内的。  It should be added that the pre-stored resources indicated by the access instruction or the resources of the server respectively refer to different resource types, and the resource security accessor 2 divides the resources into resources that can be accessed offline and resources that need to be accessed by users online. The pre-stored resource refers to the resource that the user can access offline. The resource of the server refers to the resource that the user needs to access online. The resource that the user can access offline is pre-made in the browser before the user uses the browser.

若获取访问指令所指示的服务器的资源, 即需要用户在线访问 的资源, 服务器将数据基于安全协议的加密隧道进行传输, 资源按 照资源使用策略调用本地接口集中展示给用户。  If the resource of the server indicated by the access instruction is obtained, that is, the resource that the user needs to access online, the server transmits the data according to the encrypted tunnel of the security protocol, and the resource is displayed to the user according to the resource usage policy.

安全网关 21 , 用于若身份验证信息与预存于用户信任列表中相 应的用户信息相匹配, 浏览器软件摘要与预存于浏览器信任列表中 相应的浏览器软件摘要信息相匹配, 则生成用户的授权结果, 授权 结果包括可访问的资源列表。  The security gateway 21 is configured to: if the authentication information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, the generated user Authorization results, authorization results include a list of accessible resources.

进一步地, 所述安全网关, 还用于若所述硬件密钥标识与预存 于硬件密钥列表中相应的硬件密钥信息相匹配, 则生成所述用户的 授权结果。  Further, the security gateway is further configured to generate an authorization result of the user if the hardware key identifier matches the corresponding hardware key information pre-stored in the hardware key list.

进一步地, 所述授权结果还包括资源使用策略;  Further, the authorization result further includes a resource usage policy;

其中, 所述安全浏览器, 具体用于按照所述资源使用策略获取 所述访问指令所指示的预先存储的资源或服务器的资源。  The secure browser is specifically configured to acquire, according to the resource usage policy, a pre-stored resource or a resource of the server indicated by the access instruction.

资源安全访问器 2获取到用户的身份验证信息、 浏览器软件摘 要和硬件密钥标识后, 分别对其进行校验。 资源安全访问器 2 将获 取到的用户的身份验证信息、 浏览器软件摘要和硬件密钥标识通过 基于 S SL协商建立的隧道发送到资源安全访问器 2的认证模块进行 认证, 其中, S SL 是为网络通信提供安全及数据完整性的一种安全 协议, 在传输层对网络连接进行加密。 Resource Security Accessor 2 obtains the user's authentication information, browser software abstract After the hardware key is identified, it is verified separately. The resource security accessor 2 authenticates the obtained user's authentication information, the browser software digest, and the hardware key identifier to the authentication module of the resource security accessor 2 through a tunnel established based on the S SL negotiation, where S SL is A security protocol that provides security and data integrity for network communications, encrypting network connections at the transport layer.

需要说明的是, 资源安全访问器 2获取到的用户的身份验证信 息、 浏览器软件摘要和硬件密钥标识并不只局限于通过基于 S SL协 议建立的隧道发送到资源安全访问器 2 的认证模块进行认证, 也可 以基于 TLS等安全协议建立隧道发送到资源安全访问器 2的认证模 块进行认证。  It should be noted that the authentication information, the browser software digest, and the hardware key identifier of the user acquired by the resource security accessor 2 are not limited to the authentication module sent to the resource security accessor 2 through the tunnel established based on the S SL protocol. For authentication, a tunnel may be sent to the authentication module of the resource security accessor 2 for authentication based on a security protocol such as TLS.

资源安全访问器 2将获取到的用户的身份验证信息、 浏览器软 件摘要和硬件密钥标识通过基于 S SL协商建立的隧道发送到资源安 全访问器 2 的认证模块进行认证, 若身份验证信息与预存于用户信 任列表中相应的用户信息相匹配, 且浏览器软件摘要与预存于浏览 器信任列表中相应的浏览器软件摘要信息相匹配, 且硬件密钥标识 与预存于硬件密钥列表中相应的硬件密钥信息相匹配, 则说明用户 通过了认证, 从而能够继续浏览资源。  The resource security accessor 2 sends the obtained user's authentication information, the browser software digest, and the hardware key identifier to the authentication module of the resource security accessor 2 through the tunnel established based on the S SL negotiation for authentication, if the authentication information and the authentication information are The corresponding user information pre-stored in the user trust list matches, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, and the hardware key identifier is corresponding to the pre-stored in the hardware key list. If the hardware key information matches, the user has passed the authentication, so that the resource can continue to be browsed.

用户通过了身份信息验证后, 资源安全访问器 2生成用户的授 权结果, 授权结果包括可访问的资源列表、 资源使用策略, 以使用 户能够通过资源列表访问资源。  After the user passes the identity information verification, the resource security accessor 2 generates the authorization result of the user, and the authorization result includes the accessible resource list and the resource usage policy, so that the user can access the resource through the resource list.

需要补充的是, 用户通过了身份信息验证后, 资源安全访问器 2 生成用户的授权结果, 授权结果除了包括可访问的资源列表、 资 源使用策略, 以使用户能够通过资源列表访问资源, 还包括用户权 限信息和资源安全访问等级信息, 其中, 用户权限信息指示是否允 许用户上传或下载资源, 资源安全访问等级信息指示允许用户下载 的资源的等级。  It should be added that after the user passes the identity information verification, the resource security accessor 2 generates the authorization result of the user, and the authorization result includes the accessible resource list and the resource usage policy, so that the user can access the resource through the resource list, and includes User rights information and resource security access level information, wherein the user rights information indicates whether the user is allowed to upload or download resources, and the resource security access level information indicates the level of resources that the user is allowed to download.

示例性的, 资源安全访问器 2按照策略将所有文件的安全等级 划分为 10级, 用户 A为某公司仍处于实习期的员工, 用户权限信息 指示不允许该用户上传和下载资源, 用户 B为某公司的普通员工, 用户权限信息指示允许该用户上传和下载资源, 资源安全访问等级 信息为 3 级, 即指示允许用户下载的资源的等级为 3 , 说明该用户 可下载的资源等级为 1 级、 2级和 3 级, 用户 C为某公司的管理人 员, 用户权限信息指示允许该用户上传和下载资源, 资源安全访问 等级信息为 10 级, 即指示允许用户下载的资源的等级为 10 , 说明 该用户可以下载的所有的资源。 Exemplarily, the resource security accessor 2 divides the security level of all files into 10 levels according to the policy. User A is an employee whose company is still in the internship period, and the user rights information indicates that the user is not allowed to upload and download resources, and user B is Ordinary employee of a company, The user right information indicates that the user is allowed to upload and download resources. The resource security access level information is level 3, that is, the level of the resource that is allowed to be downloaded by the user is 3, indicating that the user can download the resource level as level 1, level 2, and level 3. User C is the administrator of a company. The user rights information indicates that the user is allowed to upload and download resources. The resource security access level information is level 10, that is, the level of the resource that the user is allowed to download is 10, indicating that the user can download all resource of.

进一步地, 安全网关 21 , 还用于若在预设周期后接收到用户输 入的访问指令, 则不获取访问指令所指示的服务器的资源。  Further, the security gateway 21 is further configured to not acquire the resource of the server indicated by the access instruction if the access instruction input by the user is received after the preset period.

若在预设周期后接收到用户输入的访问指令, 则说明用户的访 问超时, 这时资源安全访问器 2 会自动终止用户的访问操作, 不获 取访问指令所指示的服务器的资源。  If the access instruction input by the user is received after the preset period, the access time of the user is timed out, and the resource security accessor 2 automatically terminates the access operation of the user, and does not obtain the resource of the server indicated by the access instruction.

进一步地,安全浏览器 20 ,还用于存储从服务器获取到的资源。 进一步地, 安全网关 21 , 还用于对获取到的服务器的资源进行 加密。  Further, the secure browser 20 is further configured to store resources acquired from the server. Further, the security gateway 21 is further configured to encrypt the resources of the obtained server.

访问指令所指示的预先存储的资源或服务器的资源分别指代了 不同的资源类型, 资源安全访问器 2 将资源分成能够离线访问的资 源和需要用户在线访问的资源。 预先存储的资源指用户能够离线访 问的资源, 服务器的资源指需要用户在线访问的资源。  The pre-stored resources indicated by the access instruction or the resources of the server refer to different resource types, respectively, and the resource security accessor 2 divides the resources into resources that can be accessed offline and resources that need to be accessed online by the user. Pre-stored resources refer to resources that users can access offline. Server resources refer to resources that users need to access online.

当用户 离线访问时, 离线资源是在用户使用浏览器之前就已经 储存在浏览器内, 并通过资源安全访问器 2 对离线资源进行加密, 以防数据被外部的非法软件查看。  When the user accesses the offline, the offline resource is stored in the browser before the user uses the browser, and the offline resource is encrypted by the resource security accessor 2 to prevent the data from being viewed by the illegal software outside.

当用户在线访问时, 服务器将数据基于安全协议的加密隧道进 行传输, 数据緩存进行加密后在 HTTP 响应头上附加加密标记和临 时索引密钥, 响应信息经过资源安全访问器 2 解析后, 根据加密标 记和临时密钥索引, 向资源安全访问器 2的安全网关 21请求获取一 次性会话密钥, 加密文档经过密钥解密后展示给用户。  When the user accesses the network, the server transmits the data based on the encrypted tunnel of the security protocol. After the data cache is encrypted, the encryption token and the temporary index key are attached to the HTTP response header, and the response information is parsed by the resource security accessor 2, according to the encryption. The tag and the temporary key index request the security gateway 21 of the resource security accessor 2 to acquire the one-time session key, and the encrypted document is decrypted by the key and displayed to the user.

需要补充的是, 资源安全访问器 2存储从服务器获取到的资源 除了緩存和离线资源, 还包括用户的行为策略, 其中, 用户的行为 策略是指记录用户访问行为, 下载过的文件, 开打过的文件等。 进一步地, 资源安全访问器 2 , 还用于若接收到用户输入的注 销或退出指令, 则删除存储的从服务器获取到的资源以及删除用户 下载的资源。 It should be added that the resource security accessor 2 stores the resources acquired from the server in addition to the cache and offline resources, and also includes the user's behavior policy, wherein the user's behavior policy refers to recording user access behavior, downloaded files, and playing Documents and so on. Further, the resource security accessor 2 is further configured to delete the stored resource acquired by the server and delete the resource downloaded by the user if receiving the logout or exit instruction input by the user.

若接收到用户输入的注销或退出指令, 资源安全访问器 2会触 发注销隧道行为, 则资源安全访问器 2 删除存储的从服务器获取到 的资源以及删除用户下载的资源, 保证了数据的安全性。  If the logout or exit command input by the user is received, the resource security accessor 2 triggers the logout tunneling behavior, and the resource security accessor 2 deletes the stored resources acquired from the server and deletes the resources downloaded by the user, thereby ensuring data security. .

本发明实施例所提供的一种资源安全访问的装置, 通过获取用 户的身份验证信息和浏览器软件摘要, 若身份验证信息与预存于用 户信任列表中相应的用户信息相匹配, 浏览器软件摘要与预存于浏 览器信任列表中相应的浏览器软件摘要信息相匹配, 则生成用户的 授权结果, 其中, 授权结果包括可访问的资源列表, 以及显示可访 问的资源列表, 以使得用户根据可访问的资源列表输入访问指令, 以及获取访问指令所指示的预先存储的资源或服务器的资源。 通过 该方案, 由于对用户的身份验证信息、 浏览器软件摘要和硬件密钥 标识均进行了认证, 只有通过认证的用户才能够访问服务器, 从而 使得用户能够安全地访问服务器的资源, 实现服务器资源的保护。  The device for securely accessing resources according to the embodiment of the present invention obtains the user's identity verification information and the browser software summary, and if the identity verification information matches the corresponding user information pre-stored in the user trust list, the browser software abstract Corresponding to the corresponding browser software summary information pre-stored in the browser trust list, the authorization result of the user is generated, wherein the authorization result includes a list of accessible resources, and displays a list of accessible resources, so that the user is accessible according to the The resource list enters an access instruction and obtains a pre-stored resource or server resource indicated by the access instruction. With this solution, since the user's authentication information, the browser software digest, and the hardware key identifier are authenticated, only the authenticated user can access the server, thereby enabling the user to securely access the server's resources and implement the server resources. protection of.

需要说明的是, 本发明实施例由于对用户的身份验证信息、 浏 览器软件摘要和硬件密钥标识均进行了认证, 只有通过认证的用户 才能够访问服务器, 从而使得用户能够安全地访问服务器的资源, 实现服务器资源的保护。 但是, 该资源安全访问器除了应用在 PC ( Personal Computer , 个人计算机) 上, 还能够设置在其他用户设 备中, 例如, 平板电脑等, 同样能使得用户能够安全地访问服务器 的资源, 实现服务器资源的保护。  It should be noted that, in the embodiment of the present invention, since the user authentication information, the browser software digest, and the hardware key identifier are authenticated, only the authenticated user can access the server, thereby enabling the user to securely access the server. Resources, to protect server resources. However, in addition to being applied to a PC (Personal Computer), the resource security access device can be set in other user devices, for example, a tablet computer, etc., and also enables users to securely access server resources and implement server resources. protection of.

本领域普通技术人员可以理解: 实现上述方法实施例的全部或 部分步骤可以通过程序指令相关的硬件来完成, 前述的程序可以存 储于一计算机可读取存储介质中, 该程序在执行时, 执行包括上述 方法实施例的步骤; 而前述的存储介质包括: ROM、 RAM , 磁碟或 者光盘等各种可以存储程序代码的介质。  A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.

以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围 并不局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技 术范围内, 可轻易想到变化或替换, 都应涵盖在本发明的保护范围 之内。 因此, 本发明的保护范围应以所述权利要求的保护范围为准。 The above description is only a specific embodiment of the present invention, but the scope of protection of the present invention It is not limited thereto, and any one skilled in the art can easily conceive changes or substitutions within the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims

权 利 要 求 书 claims 1、 一种资源安全访问方法, 其特征在于, 包括: 1. A resource security access method, characterized by including: 获取用户的身份验证信息和浏览器软件摘要; Obtain the user's authentication information and browser software summary; 若所述身份验证信息与预存于用户信任列表中相应的用户信息 相匹配, 所述浏览器软件摘要与预存于浏览器信任列表中相应的浏览 器软件摘要信息相匹配, 则生成所述用户的授权结果, 所述授权结果 包括可访问的资源列表; If the identity verification information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, then the user's identity verification information is generated. Authorization result, the authorization result includes a list of accessible resources; 显示所述可访问的资源列表,以使得所述用户根据所述可访问的 资源列表输入访问指令; Display the accessible resource list so that the user can input access instructions according to the accessible resource list; 获取所述访问指令所指示的预先存储的资源或服务器的资源。 Obtain the pre-stored resource or server resource indicated by the access instruction. 2、 根据权利要求 1 所述的资源安全访问方法, 其特征在于, 还 包括: 2. The resource security access method according to claim 1, further comprising: 获取硬件密钥标识; Get the hardware key ID; 若所述硬件密钥标识与预存于硬件密钥列表中相应的硬件密钥 信息相匹配, 则生成所述用户的授权结果。 If the hardware key identifier matches the corresponding hardware key information pre-stored in the hardware key list, an authorization result for the user is generated. 3、 根据权利要求 1或 2所述的资源安全访问方法, 其特征在于, 所述授权结果还包括资源使用策略; 3. The resource security access method according to claim 1 or 2, characterized in that the authorization result also includes a resource usage policy; 其中,所述获取所述访问指令所指示的预先存储的资源或服务器 的资源包括: Wherein, the obtaining the pre-stored resources or server resources indicated by the access instruction includes: 按照所述资源使用策略获取所述访问指令所指示的预先存储的 资源或服务器的资源。 Obtain the pre-stored resources or server resources indicated by the access instruction according to the resource usage policy. 4、 根据权利要求 1 -3 中任意一项所述的资源安全访问方法, 其 特征在于, 若在预设周期后接收到用户输入的所述访问指令, 则不获 取所述访问指令所指示的服务器的资源。 4. The resource security access method according to any one of claims 1 to 3, characterized in that, if the access instruction input by the user is received after a preset period, the access instruction indicated by the access instruction is not obtained. Server resources. 5、 根据权利要求 1 -4 中任意一项所述的资源安全访问方法, 其 特征在于, 所述授权结果还包括用户权限信息, 所述用户权限信息指 示是否允许所述用户上传或下载资源。 5. The resource security access method according to any one of claims 1 to 4, characterized in that the authorization result also includes user permission information, and the user permission information indicates whether the user is allowed to upload or download resources. 6、 根据权利要求 1 -5 中任意一项所述的资源安全访问方法, 其 特征在于, 所述授权结果还包括资源安全访问等级信息, 所述资源安 全访问等级信息指示允许所述用户下载的资源的等级。 6. The resource security access method according to any one of claims 1 to 5, characterized in that the authorization result also includes resource security access level information, and the resource security access level information is The full access level information indicates the level of resources that the user is allowed to download. 7、 一种资源安全访问装置, 其特征在于, 包括: 7. A resource security access device, characterized by including: 本地服务模块, 用于获取用户的身份验证信息和浏览器软件摘 要, 以及显示所述可访问的资源列表, 以使得所述用户根据所述可访 问的资源列表输入访问指令; A local service module, used to obtain the user's identity verification information and browser software summary, and display the accessible resource list, so that the user can input access instructions according to the accessible resource list; 认证模块,用于若所述身份验证信息与预存于用户信任列表中相 应的用户信息相匹配, 所述浏览器软件摘要与预存于浏览器信任列表 中相应的浏览器软件摘要信息相匹配, 则生成所述用户的授权结果, 所述授权结果包括可访问的资源列表; Authentication module, configured to if the identity verification information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, then Generate an authorization result for the user, where the authorization result includes an accessible resource list; 安全通信模块,用于获取所述访问指令所指示的预先存储的资源 或服务器的资源。 The secure communication module is used to obtain the pre-stored resources or server resources indicated by the access instruction. 8、 根据权利要求 7所述的资源安全访问装置, 其特征在于, 所述本地服务模块, 还用于获取硬件密钥标识; 8. The resource security access device according to claim 7, characterized in that the local service module is also used to obtain a hardware key identification; 所述认证模块,还用于若所述硬件密钥标识与预存于硬件密钥列 表中相应的硬件密钥信息相匹配, 则生成所述用户的授权结果。 The authentication module is also configured to generate an authorization result for the user if the hardware key identifier matches the corresponding hardware key information pre-stored in the hardware key list. 9、 根据权利要求 7或 8所述的资源安全访问装置, 其特征在于, 所述授权结果还包括资源使用策略; 9. The resource security access device according to claim 7 or 8, characterized in that the authorization result also includes a resource usage policy; 其中, 所述安全通信模块, 具体用于按照所述资源使用策略获取 所述访问指令所指示的预先存储的资源或服务器的资源。 Wherein, the secure communication module is specifically configured to obtain the pre-stored resources or server resources indicated by the access instruction according to the resource usage policy. 10、 根据权利要求 7-9中任意一项所述的资源安全访问装置, 其 特征在于, 10. The resource security access device according to any one of claims 7-9, characterized in that, 所述安全通信模块,还用于若在预设周期后接收到用户输入的所 述访问指令, 则不获取所述访问指令所指示的服务器的资源。 The secure communication module is also configured to not obtain the resources of the server indicated by the access instruction if the access instruction input by the user is received after a preset period. 1 1、 根据权利要求 7- 10中任意一项所述的资源安全访问的装置, 其特征在于, 所述授权结果还包括用户权限信息, 所述用户权限信息 指示是否允许所述用户上传或下载资源。 1 1. The device for secure access to resources according to any one of claims 7 to 10, characterized in that the authorization result also includes user permission information, and the user permission information indicates whether the user is allowed to upload or download. resource. 12、 根据权利要求 7- 1 1 中任意一项所述的资源安全访问装置, 其特征在于, 所述授权结果还包括资源安全访问等级信息, 所述资源 安全访问等级信息指示允许所述用户下载的资源的等级。 12. The resource security access device according to any one of claims 7-11, characterized in that the authorization result also includes resource security access level information, and the resource security access level information indicates that the user is allowed to download The level of the resource. 13、 一种资源安全访问器, 其特征在于, 包括: 13. A resource security accessor, characterized by including: 安全浏览器, 用于获取用户的身份验证信息和浏览器软件摘要, 以及显示所述可访问的资源列表, 以使得所述用户根据所述可访问的 资源列表输入访问指令, 以及获取所述访问指令所指示的预先存储的 资源或服务器的资源; A secure browser, used to obtain the user's identity verification information and browser software summary, and display the accessible resource list, so that the user can input access instructions according to the accessible resource list, and obtain the access Pre-stored resources or server resources indicated by instructions; 安全网关,用于若所述身份验证信息与预存于用户信任列表中相 应的用户信息相匹配, 所述浏览器软件摘要与预存于浏览器信任列表 中相应的浏览器软件摘要信息相匹配, 则生成所述用户的授权结果, 所述授权结果包括可访问的资源列表。 Security gateway, configured to: if the identity verification information matches the corresponding user information pre-stored in the user trust list, and the browser software summary matches the corresponding browser software summary information pre-stored in the browser trust list, then An authorization result for the user is generated, where the authorization result includes an accessible resource list. 14、 根据权利要求 13所述的资源安全访问器, 其特征在于, 所述安全浏览器, 还用于获取硬件密钥标识; 14. The resource security accessor according to claim 13, characterized in that the secure browser is also used to obtain a hardware key identification; 所述安全网关,还用于若所述硬件密钥标识与预存于硬件密钥列 表中相应的硬件密钥信息相匹配, 则生成所述用户的授权结果。 The security gateway is also configured to generate an authorization result for the user if the hardware key identifier matches the corresponding hardware key information pre-stored in the hardware key list. 15、根据权利要求 13或 14所述的资源安全访问器,其特征在于, 所述授权结果还包括资源使用策略; 15. The resource security accessor according to claim 13 or 14, wherein the authorization result further includes a resource usage policy; 其中, 所述安全浏览器, 具体用于按照所述资源使用策略获取所 述访问指令所指示的预先存储的资源或服务器的资源。 Wherein, the secure browser is specifically configured to obtain the pre-stored resources or server resources indicated by the access instruction according to the resource usage policy.
PCT/CN2012/083035 2012-10-16 2012-10-16 Method and device for secure access to resource Ceased WO2014059604A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2012/083035 WO2014059604A1 (en) 2012-10-16 2012-10-16 Method and device for secure access to resource
CN2012800017887A CN103109510A (en) 2012-10-16 2012-10-16 Resource safety access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2012/083035 WO2014059604A1 (en) 2012-10-16 2012-10-16 Method and device for secure access to resource

Publications (1)

Publication Number Publication Date
WO2014059604A1 true WO2014059604A1 (en) 2014-04-24

Family

ID=48316010

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/083035 Ceased WO2014059604A1 (en) 2012-10-16 2012-10-16 Method and device for secure access to resource

Country Status (2)

Country Link
CN (1) CN103109510A (en)
WO (1) WO2014059604A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017161706A1 (en) * 2016-03-25 2017-09-28 中兴通讯股份有限公司 Method of controlling access to network resource in local area network, device, and gateway equipment
CN114006739A (en) * 2021-10-25 2022-02-01 恒安嘉新(北京)科技股份公司 Resource request processing method, device, equipment and storage medium

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104424407A (en) * 2013-08-27 2015-03-18 宇宙互联有限公司 Storage management system and method
CN104426938A (en) * 2013-08-27 2015-03-18 宇宙互联有限公司 Storage management system and method
CN103475666B (en) * 2013-09-23 2017-01-04 中国科学院声学研究所 A kind of digital signature authentication method of Internet of Things resource
CN103905208A (en) * 2014-04-24 2014-07-02 快车科技有限公司 Interaction method using asymmetric security mechanism
WO2016045073A1 (en) 2014-09-26 2016-03-31 Intel Corporation Context-based resource access mediation
CN105224834A (en) * 2015-08-21 2016-01-06 镇江乐游网络科技有限公司 The system and method for access control based roles in mobile network
CN105208042A (en) * 2015-10-15 2015-12-30 黄云鸿 Resource safety access method and system
WO2018157362A1 (en) * 2017-03-02 2018-09-07 廖建强 Access control method and terminal
CN107222485B (en) * 2017-06-14 2020-08-21 腾讯科技(深圳)有限公司 Authorization method and related equipment
CN110197075B (en) * 2018-04-11 2023-03-17 腾讯科技(深圳)有限公司 Resource access method, device, computing equipment and storage medium
CN109033758B (en) * 2018-08-01 2020-04-21 北京景行锐创软件有限公司 License resource access method and system
CN109327597A (en) * 2018-08-03 2019-02-12 奇酷互联网络科技(深圳)有限公司 The method, apparatus of the entrance of mobile terminal and secret system
CN110069908A (en) * 2019-04-11 2019-07-30 深圳前海微众银行股份有限公司 A kind of authority control method and device of block chain
CN111079170B (en) * 2019-11-04 2021-11-23 湖南源科创新科技有限公司 Control method and control device of solid state disk
CN111064731B (en) * 2019-12-23 2022-02-15 绿盟科技集团股份有限公司 Identification method and identification device for access authority of browser request and terminal
CN112632525A (en) * 2020-12-30 2021-04-09 南京中孚信息技术有限公司 Method and device for limiting user to access electronic document
CN112887983B (en) * 2021-01-27 2023-11-24 上海银基信息安全技术股份有限公司 Device identity authentication methods, devices, equipment and media

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1617620A1 (en) * 2004-06-22 2006-01-18 Avaya Technology Corp. Method and apparatus for user authentication and authorization
CN101741764A (en) * 2009-12-25 2010-06-16 金蝶软件(中国)有限公司 Method and system for document transmission in enterprise wide area network (WAN)
CN101771677A (en) * 2008-12-31 2010-07-07 华为技术有限公司 Method for providing resource for access user, server and system thereof
CN102722585A (en) * 2012-06-08 2012-10-10 亿赞普(北京)科技有限公司 Browser type identification method, device and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7835723B2 (en) * 2007-02-04 2010-11-16 Bank Of America Corporation Mobile banking
CN101340436B (en) * 2008-08-14 2011-05-11 普天信息技术研究院有限公司 Method and apparatus implementing remote access control based on portable memory apparatus
CN101764742B (en) * 2009-12-30 2015-09-23 福建星网锐捷网络有限公司 A kind of network resource visit control system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1617620A1 (en) * 2004-06-22 2006-01-18 Avaya Technology Corp. Method and apparatus for user authentication and authorization
CN101771677A (en) * 2008-12-31 2010-07-07 华为技术有限公司 Method for providing resource for access user, server and system thereof
CN101741764A (en) * 2009-12-25 2010-06-16 金蝶软件(中国)有限公司 Method and system for document transmission in enterprise wide area network (WAN)
CN102722585A (en) * 2012-06-08 2012-10-10 亿赞普(北京)科技有限公司 Browser type identification method, device and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017161706A1 (en) * 2016-03-25 2017-09-28 中兴通讯股份有限公司 Method of controlling access to network resource in local area network, device, and gateway equipment
CN114006739A (en) * 2021-10-25 2022-02-01 恒安嘉新(北京)科技股份公司 Resource request processing method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN103109510A (en) 2013-05-15

Similar Documents

Publication Publication Date Title
WO2014059604A1 (en) Method and device for secure access to resource
US20220245272A1 (en) Systems and methods for providing data loss prevention via an embedded browser
US9191394B2 (en) Protecting user credentials from a computing device
US9660982B2 (en) Reset and recovery of managed security credentials
KR101878149B1 (en) Device, system, and method of secure entry and handling of passwords
US8621214B2 (en) Document encryption and decryption
EP3050257B1 (en) Resource locators with keys
CN112313919A (en) System and method for watermarking using an embedded browser
KR20210003181A (en) Distributed document and entity verification engine
US8387152B2 (en) Attested content protection
JP2014506074A (en) Method and system for delivering cryptographic data to authenticated recipients
CN105187362A (en) Method and device for connection authentication between desktop cloud client and server-side
CN107368747A (en) A kind of mobile office method, service end, client and system
EP3651034B1 (en) Systems and methods for watermarking audio of saas applications
CN111193725A (en) A configuration-based joint login method, apparatus and computer equipment
Rountree Federated identity primer
CN113039769A (en) System and method for deep linking of SAAS applications via embedded browser
CN108701200B (en) Improved memory system
US9479492B1 (en) Authored injections of context that are resolved at authentication time
TWI649661B (en) Composite document access
CN113591153B (en) A data processing method, device, equipment and storage medium
Al-Sinani et al. CardSpace-Liberty integration for CardSpace users
CN108540426A (en) A method, device and server for realizing data processing
JP5158601B2 (en) File management device, file management system, and program
JP2006092081A (en) Safe start/use method for personal computer to be used by unspecified person or multiple person and recording medium for realizing such use

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201280001788.7

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12886857

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12886857

Country of ref document: EP

Kind code of ref document: A1