An access authentication method and device, electronic equipment and storage medium
By employing a dual-signature mechanism between the enterprise client and both the bank and third-party institutions, the problem of secure connection between the enterprise client and the third-party institutions is solved, ensuring data security and the legitimacy of its source, and enabling the establishment of a secure connection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- AGRICULTURAL BANK OF CHINA
- Filing Date
- 2024-11-29
- Publication Date
- 2026-06-05
AI Technical Summary
Existing technical solutions cannot achieve secure connections between enterprise clients and third-party institutions through the bank's end, thus failing to meet the actual needs of enterprises.
By receiving user-input messages on the enterprise client and using digital certificates for signing, a signature value is generated. This value is then verified through dual signature verification between the bank and a third-party institution, ensuring the security and legitimacy of the data's origin.
It enables secure connections between enterprise clients and third-party institutions, ensuring that data is not tampered with and originates from legitimate enterprise clients, thereby improving connection security.
Smart Images

Figure CN119520144B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network security technology, and more specifically, to an access authentication method, apparatus, electronic device, and storage medium. Background Technology
[0002] As businesses expand and their actual needs evolve, they often require connections with third-party institutions through banking systems to access shopping or other financial services. However, existing technical solutions can only connect the enterprise client to the banking system and cannot meet the enterprise's need for secure connections between the enterprise client and third-party institutions via the banking system. Summary of the Invention
[0003] In view of this, this application provides an access authentication method, apparatus, electronic device, and storage medium to meet the needs of enterprises for secure connections between enterprise clients and third-party institutions via bank clients.
[0004] To achieve the above objectives, the following solution is proposed:
[0005] An access authentication method is applied to a third-party system, the third-party system including an enterprise client, a bank client, and at least one third-party institution client, the access authentication method including the following steps:
[0006] The system controls the enterprise client to receive the first message input by the enterprise user, and calls the digital certificate configured on the enterprise client to sign the first message to obtain a first signature value, and sends the first signature value to the bank.
[0007] The bank verifies the first signature value. After determining that the first signature value comes from the enterprise client, it obtains a second signature value based on the first signature value and sends the first signature value and the second signature value to the third-party institution.
[0008] The third-party institution verifies the first signature value and the second signature value. After successful verification, a trust connection is established between the bank and the enterprise client.
[0009] Optionally, the step of controlling the enterprise client to receive the first message input by the enterprise user, and calling the digital certificate configured on the enterprise client to sign the first message to obtain a first signature value, and sending the first signature value to the bank, includes the following steps:
[0010] The first message is processed based on the first digest algorithm of the digital certificate to obtain the first digest value;
[0011] The first digest value is encrypted using the first private key of the digital certificate to obtain the first ciphertext;
[0012] The first message, the first digest value, the first ciphertext, and the first public key certificate of the digital certificate are packaged into the first signature value;
[0013] The first signature value is sent to the bank.
[0014] Optionally, the step of controlling the bank to verify the first signature value, and after determining that the first signature value comes from the enterprise client, obtaining a second signature value based on the first signature value, and sending the first signature value and the second signature value to the third-party institution includes the following steps:
[0015] Verify whether the first signature value originates from the enterprise client;
[0016] After verification, the second signature value is generated based on the first signature value;
[0017] The first signature value and the second signature value are sent to the third-party institution.
[0018] Optionally, verifying whether the first signature value originates from the enterprise client includes the following steps:
[0019] The first signature value is parsed to obtain the first message, the first digest value, the first public key certificate, and the first ciphertext.
[0020] The first ciphertext is decrypted using the first public key certificate, and the digest is verified to obtain the first digest value;
[0021] The first digest algorithm is used to generate a verification digest value;
[0022] The verification digest value is compared with the first digest value. If they match, the authentication is successful.
[0023] Optionally, the step of generating the second signature value based on the first signature value after verification includes the following steps:
[0024] The second message is processed using a second digest algorithm to obtain a second digest value. The second message includes the first ciphertext, the first public key certificate, the first message, and the data required by the third-party organization.
[0025] The second digest value is encrypted using the second private key to form the second ciphertext;
[0026] The first message, the second message, the second ciphertext, and the second digest algorithm are then packaged together to form a second signature value.
[0027] Optional steps may also be included:
[0028] The bank verifies whether the enterprise client has been registered with the third-party institution. If no registration has been made, the bank applies for registration for the enterprise client with the third-party institution.
[0029] Optional, the following steps may also be included:
[0030] Based on the bank's determination of whether the digital certificate needs to be updated, if so, the digital certificate is updated and a new filing is applied for for the enterprise client from the third-party institution.
[0031] An access authentication device is applied to a third-party system, the third-party system including an enterprise client, a bank client, and at least one third-party institution client, the access authentication device comprising:
[0032] The connection request module is configured to control the enterprise client to receive the first message input by the enterprise user, call the digital certificate configured on the enterprise client to sign the first message, obtain the first signature value, and send the first signature value to the bank.
[0033] The verification and sending module is configured to control the bank to verify the first signature value, and after determining that the first signature value comes from the enterprise client, obtain the second signature value based on the first signature value, and send the first signature value and the second signature value to the third-party institution.
[0034] The connection verification module is configured to control the third-party institution to verify the first signature value and the second signature value, and after successful verification, establish a trust connection between the bank and the enterprise client.
[0035] Or, it may also include:
[0036] The client-side filing module is configured to verify, based on the bank, whether the enterprise client has been filed with the third-party institution. If no filing has been made, the module will apply for filing for the enterprise client with the third-party institution.
[0037] Or, it may also include:
[0038] The certificate update module is configured to determine whether the digital certificate needs to be updated based on the bank's information. If so, the digital certificate is updated and the enterprise client is re-applied for filing with the third-party institution.
[0039] An electronic device includes at least one processor and a memory connected to the processor, wherein:
[0040] The memory is used to store computer programs or instructions;
[0041] The processor is used to execute the computer program or instructions to enable the electronic device to implement the access authentication method as described above.
[0042] A computer-readable storage medium is applied to an electronic device, the storage medium carrying one or more computer programs that can be executed by the electronic device to enable the electronic device to implement the access authentication method as described above.
[0043] As can be seen from the above technical solution, this application discloses an access authentication method, apparatus, electronic device, and storage medium. This method and apparatus are applied to a three-party system including an enterprise client, a bank, and at least one third-party institution. Specifically, the enterprise client receives a first message input by an enterprise user and uses a digital certificate configured on the enterprise client to sign the first message, obtaining a first signature value, which is then sent to the bank. The bank verifies the first signature value; after confirming that the first signature value originates from the enterprise client, it obtains a second signature value based on the first signature value and sends both the first and second signature values to the third-party institution. The third-party institution verifies both the first and second signature values; upon successful verification, a trusted connection is established between the bank and the enterprise client. This application uses a dual-signature mechanism to ensure that the third-party institution's signature parsing ensures the data has not been tampered with and originates from the bank, and that the business signature parsing ensures the customer data has not been tampered with and originates from the enterprise client, thereby guaranteeing connection security. Attached Figure Description
[0044] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0045] Figure 1 This is a flowchart of an access authentication method according to an embodiment of this application;
[0046] Figure 2 This is a schematic diagram of a filing process for an enterprise client according to an embodiment of this application;
[0047] Figure 3 This is a block diagram of an access authentication device according to an embodiment of this application;
[0048] Figure 4This is a block diagram of another access authentication device according to an embodiment of this application;
[0049] Figure 5 This is a block diagram of another access authentication device according to an embodiment of this application;
[0050] Figure 6 This is a block diagram of an electronic device according to an embodiment of this application. Detailed Implementation
[0051] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of this application.
[0052] This application discloses an authentication method for an enterprise client to access a third-party institution's system via a bank. This method is applied to a three-party system comprising an enterprise client, a bank, and a third-party institution. The method includes: First, the bank system uses the first digest algorithm of a K-Key (the customer's key) to generate a first digest value from the first message input by the customer based on the enterprise client. Then, it encrypts the digest value using the K-Key's private key to generate a first ciphertext. The system packages the first message, the first digest value, the public key certificate, and the first ciphertext into a first signature value. The first signature value and the plaintext (used to generate the digest) according to specified rules are sent to the access front-end system. Second, the front-end system parses the first signature value (first message, first digest value, public key certificate, and first ciphertext), decrypts the first ciphertext using the public key certificate in the first signature value, performs digest verification to obtain the first digest value, generates a verification digest value using the first digest algorithm on the input plaintext, and compares the verification digest value with the first digest value. If they match, authentication is successful. The third step involves the front-end system using a second digest algorithm to generate a second digest value for the second message (which contains the first signature value, the first public key certificate, the first message itself, and data required by the third-party institution). The second digest value is then encrypted using the second private key to form a second ciphertext. Finally, the first message, the second message, the second ciphertext, and the second digest algorithm are signed and packaged together to form a second signature value, which is then sent to the third-party institution via an HTTPS request. The fourth step involves the third-party institution using the sender's public key to decrypt the second ciphertext, obtaining the second digest value. The third-party institution then uses the second digest algorithm to generate a digest value for the second message and compares this digest value with the second digest value. If they match, it indicates that the message has not been tampered with and that the verification message originates from the bank system. The fifth step involves the third-party institution using the customer's public key certificate in the message to decrypt the ciphertext, obtaining the first digest value. The third-party institution then uses the first digest algorithm to generate a verification digest value for the first message and compares this digest value with the first digest value. If they match, it indicates that the message has not been tampered with and that the verification message request originates from the customer's intent. This invention utilizes a combination of asymmetric key and public / private key technologies to ensure the security of message transmission when a bank accesses a third-party institution.
[0053] The digest algorithm in this application is used to compute a fixed-length output digest on any set of input data. Its characteristic is that the same input will always produce the same output, and different inputs will produce different outputs.
[0054] A key is a parameter input to an algorithm that converts plaintext to ciphertext or ciphertext to plaintext. Keys are divided into symmetric keys and asymmetric keys.
[0055] The authentication medium distributed by KeyPay Bank to its corporate clients may have different names depending on the bank, but it is actually a hardware carrier of digital certificates.
[0056] Symmetric encryption algorithms use the same key to encrypt and decrypt data. Their biggest advantage is their fast encryption / decryption speed, making them suitable for encrypting large amounts of data.
[0057] Asymmetric encryption algorithms, also known as public-key encryption algorithms, require different keys for encryption and decryption. One key is publicly released (the public key), while the other is kept secret by the user (the private key). Messages are encrypted using the public key and decrypted using the private key. Asymmetric encryption algorithms are flexible, but their encryption and decryption speeds are much slower than symmetric encryption algorithms.
[0058] Based on the above, this application provides the following specific embodiments:
[0059] Figure 1 This is a flowchart of an access authentication method according to an embodiment of this application.
[0060] like Figure 1 As shown, the access authentication method provided in this embodiment is applied to an electronic device to establish a trusted connection between a corporate client and a third-party institution based on the bank's end in the aforementioned third-party system. This electronic device can be understood as a computer, server, or cloud platform with data computing and information processing capabilities. The access authentication method includes the following steps:
[0061] S1. Control the enterprise client to receive the first message input by the enterprise user, call the digital certificate configured on the enterprise client to sign the first message, obtain the first signature value, and send the first signature value to the bank.
[0062] The digital certificate in this application refers to a hardware certificate carrier such as a keypad configured on the enterprise client, which carries the first digest algorithm, the first private key, and the first public key certificate. When the user initiates a connection request by inputting the first message on the enterprise client, the following operations are specifically performed.
[0063] First, the first message is processed based on the first digest algorithm to obtain the first digest value; then, the first digest value is encrypted using the first private key to obtain the first ciphertext; the first message, the first digest value, the first ciphertext, and the first public key certificate are packaged into a first signature value; and the first signature value is sent to the bank.
[0064] S2. Control the bank to verify the first signature value. After determining that the first signature value comes from the enterprise client, obtain the second signature value based on the first signature value, and send the first signature value and the second signature value to the third-party institution.
[0065] That is, after the bank receives the first digest value sent by the enterprise client, it performs an initial verification process on the first digest value to determine whether the enterprise client is a legitimate user. If so, subsequent operations are performed. The specific process is as follows:
[0066] First, verify whether the first signature value comes from the enterprise client;
[0067] The first signature value is parsed to obtain the first message, the first digest value, the first public key certificate, and the first ciphertext; the first ciphertext is decrypted using the first public key certificate and digest verification is performed to obtain the first digest value; a verification digest value is generated using the first digest algorithm; the verification digest value is compared with the first digest value, and if they match, the authentication is passed, meaning that the first signature value does indeed come from a legitimate enterprise client.
[0068] Then, after verification, a second signature value is generated based on the first signature value;
[0069] The second message is processed using a second digest algorithm to obtain a second digest value. The second message includes the first ciphertext, the first public key certificate, the first message, and the data required by the third-party institution. The specific content of the data can be set according to the user's needs. The second digest value is encrypted using the second private key to form the second ciphertext. The first message, the second message, the second ciphertext, and the second digest algorithm are then signed and packaged into a second signature value.
[0070] Finally, the first signature value and the second signature value are sent to the third-party organization via HTTPS.
[0071] S3. Control the third-party institution to verify the first signature value and the second signature value. After verification, establish a trust connection between the bank and the enterprise client.
[0072] The specific process involves using the client's public key certificate obtained through prior interaction to decrypt the first ciphertext, obtaining a first digest value. A verification digest value is then generated from the first message using the first digest algorithm. The obtained digest value is compared with the first digest value; if they match, it indicates that the message has not been tampered with and the verification message request originates from the client. This invention utilizes a combination of asymmetric key and public-private key technologies to ensure the security of message transmission when a bank connects to a third-party institution.
[0073] As can be seen from the above technical solution, this embodiment provides an access authentication method. This method is applied to a three-party system including an enterprise client, a bank, and at least one third-party institution. Specifically, the enterprise client receives a first message input by an enterprise user and uses a digital certificate configured on the enterprise client to sign the first message, obtaining a first signature value, which is then sent to the bank. The bank verifies the first signature value; after determining that the first signature value originates from the enterprise client, it obtains a second signature value based on the first signature value and sends both the first and second signature values to the third-party institution. The third-party institution verifies both the first and second signature values; upon successful verification, a trusted connection is established between the bank and the enterprise client. This application uses a dual-signature mechanism to ensure that the third-party institution's signature parsing ensures the data has not been tampered with and originates from the bank, and that the business signature parsing ensures the customer data has not been tampered with and originates from the enterprise client, thereby guaranteeing connection security.
[0074] In addition, this application includes the following steps:
[0075] After a corporate client logs into the bank's system via a corporate client application, the bank determines whether the corporate client application has been registered with a third-party institution. If no registration record exists, the bank applies for registration for the corporate client application with the third-party institution. The specific registration process is as follows: Figure 2 As shown.
[0076] Furthermore, this application also includes the following steps:
[0077] The system assesses the enterprise client's digital certificate to determine if it needs updating. If so, it updates the certificate and then re-registers the enterprise client with a third-party organization.
[0078] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0079] Although the operations are described in a specific order, this should not be construed as requiring these operations to be performed in the specific order shown or in a sequential order. In certain environments, multitasking and parallel processing may be advantageous.
[0080] It should be understood that the steps described in the method embodiments of this disclosure may be performed in different orders and / or in parallel. Furthermore, the method embodiments may include additional steps and / or omit the steps shown. The scope of this disclosure is not limited in this respect.
[0081] Computer program code for performing the operations of this disclosure can be written in one or more programming languages or a combination thereof, including but not limited to object-oriented programming languages such as Java, Smalltalk, and C++, as well as conventional procedural programming languages such as C or similar languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer.
[0082] Figure 3 This is a block diagram of an access authentication device according to an embodiment of this application.
[0083] like Figure 3 As shown, the access authentication device provided in this embodiment is applied to an electronic device to establish a trusted connection between a corporate client and a third-party institution based on the bank's end in the aforementioned third-party system. This electronic device can be understood as a computer, server, or cloud platform with data computing and information processing capabilities. The access authentication device includes a connection request module 10, a verification sending module 20, and a verification connection module 30.
[0084] The connection request module is used to control the enterprise client to receive the first message input by the enterprise user, call the digital certificate configured on the enterprise client to sign the first message, obtain the first signature value, and send the first signature value to the bank.
[0085] The digital certificate in this application refers to a hardware certificate carrier such as a keypad configured on the enterprise client, which carries the first digest algorithm, the first private key, and the first public key certificate. When the user initiates a connection request by inputting the first message on the enterprise client, the following operations are specifically performed.
[0086] First, the first message is processed based on the first digest algorithm to obtain the first digest value; then, the first digest value is encrypted using the first private key to obtain the first ciphertext; the first message, the first digest value, the first ciphertext, and the first public key certificate are packaged into a first signature value; and the first signature value is sent to the bank.
[0087] The verification and sending module is used to control the bank to verify the first signature value. After determining that the first signature value comes from the enterprise client, it obtains the second signature value based on the first signature value and sends the first signature value and the second signature value to the third-party institution.
[0088] That is, after the bank receives the first digest value sent by the enterprise client, it performs an initial verification process on the first digest value to determine whether the enterprise client is a legitimate user. If so, subsequent operations are performed. The specific process is as follows:
[0089] First, verify whether the first signature value comes from the enterprise client;
[0090] The first signature value is parsed to obtain the first message, the first digest value, the first public key certificate, and the first ciphertext; the first ciphertext is decrypted using the first public key certificate and digest verification is performed to obtain the first digest value; a verification digest value is generated using the first digest algorithm; the verification digest value is compared with the first digest value, and if they match, the authentication is passed, meaning that the first signature value does indeed come from a legitimate enterprise client.
[0091] Then, after verification, a second signature value is generated based on the first signature value;
[0092] The second message is processed using a second digest algorithm to obtain a second digest value. The second message includes the first ciphertext, the first public key certificate, the first message, and the data required by the third-party institution. The specific content of the data can be set according to the user's needs. The second digest value is encrypted using the second private key to form the second ciphertext. The first message, the second message, the second ciphertext, and the second digest algorithm are then signed and packaged into a second signature value.
[0093] Finally, the first signature value and the second signature value are sent to the third-party organization via HTTPS.
[0094] The verification connection module is used to control the third-party institution to verify the first signature value and the second signature value. After successful verification, a trust connection is established between the bank and the enterprise client.
[0095] The specific process involves using the client's public key certificate obtained through prior interaction to decrypt the first ciphertext, obtaining a first digest value. A verification digest value is then generated from the first message using the first digest algorithm. The obtained digest value is compared with the first digest value; if they match, it indicates that the message has not been tampered with and the verification message request originates from the client. This invention utilizes a combination of asymmetric key and public-private key technologies to ensure the security of message transmission when a bank connects to a third-party institution.
[0096] As can be seen from the above technical solution, this embodiment provides an access authentication device. This device is applied to a three-party system including an enterprise client, a bank, and at least one third-party institution. Specifically, it controls the enterprise client to receive a first message input by the enterprise user, and calls the digital certificate configured on the enterprise client to sign the first message, obtaining a first signature value, and sends the first signature value to the bank. The bank verifies the first signature value; after determining that the first signature value originates from the enterprise client, it obtains a second signature value based on the first signature value, and sends both the first and second signature values to the third-party institution. The third-party institution verifies the first and second signature values; after successful verification, a trusted connection is established between the bank and the enterprise client. This application uses a dual-signature mechanism to ensure that the data has not been tampered with and originates from the bank by parsing the signature, and to ensure that the customer data has not been tampered with and originates from the enterprise client by parsing the business signature, thereby guaranteeing the security of the connection.
[0097] In addition, this application also includes a client-side filing module 40, such as... Figure 4 As shown:
[0098] This module is used by the bank to determine whether a corporate client has been registered with a third-party institution after logging into the bank's system via a corporate client. If no registration record exists, the bank will apply for registration for the corporate client with the third-party institution. The specific registration process is as follows: Figure 2 As shown.
[0099] Furthermore, this application also includes a certificate update module 50, such as Figure 5 As shown:
[0100] This module is used to determine whether the digital certificate of the enterprise client needs to be updated. If so, the digital certificate is updated and then the enterprise client is re-registered with the third-party organization after the update is completed.
[0101] The units described in the embodiments of this disclosure can be implemented in software or in hardware. The name of a unit does not necessarily limit the unit itself; for example, the first acquisition unit can also be described as "a unit that acquires at least two Internet Protocol addresses".
[0102] The functions described above in this document can be performed, at least in part, by one or more hardware logic components. For example, exemplary types of hardware logic components that can be used, without limitation, include: Field Programmable Gate Arrays (FPGAs), Application-Specific Integrated Circuits (ASICs), Application Standard Products (ASSPs), System-on-Chip (SoCs), Complex Programmable Logic Devices (CPLDs), and so on.
[0103] Figure 6 This is a block diagram of an electronic device according to an embodiment of this application.
[0104] The following is for reference. Figure 6 This document illustrates a structural diagram suitable for implementing the electronic device in the embodiments of this disclosure. The terminal device in the embodiments of this disclosure may include, but is not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and fixed terminals such as digital TVs and desktop computers. This electronic device is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of this disclosure.
[0105] The electronic device may include a processing unit (e.g., a central processing unit, a graphics processing unit, etc.) 601, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 602 or a program loaded from an input device 606 into a random access memory (RAM) 603. The RAM also stores various programs and data required for the operation of the electronic device. The processing unit, ROM, and RAM are interconnected via a bus 604. An input / output (I / O) interface 605 is also connected to the bus 604.
[0106] Typically, the following devices can be connected to the I / O interface: input devices including, for example, touchscreens, touchpads, keyboards, mice, cameras, microphones, accelerometers, gyroscopes, etc.; output devices 607 including, for example, liquid crystal displays (LCDs), speakers, vibrators, etc.; storage devices 608 including, for example, magnetic tapes, hard disks, etc.; and communication devices 609. Communication device 609 allows the electronic device to communicate wirelessly or wiredly with other devices to exchange data. Although electronic devices with various devices are shown in the figures, it should be understood that it is not required to implement or possess all of the devices shown. More or fewer devices may be implemented or possessed alternatively.
[0107] This application also provides an embodiment of a computer-readable storage medium.
[0108] The aforementioned computer-readable storage medium is applied to an electronic device and carries one or more computer programs. When the electronic device executes these programs, it controls the enterprise client to receive a first message input by the enterprise user, invokes the digital certificate configured on the enterprise client to sign the first message, obtains a first signature value, and sends the first signature value to the bank. The bank verifies the first signature value; after confirming that the first signature value originates from the enterprise client, it obtains a second signature value based on the first signature value and sends both the first and second signature values to a third-party institution. The third-party institution verifies the first and second signature values; upon successful verification, a trusted connection is established between the bank and the enterprise client. This application, through a dual-signature mechanism, ensures that the third-party institution's signature parsing guarantees the data has not been tampered with and originates from the bank, and that the business signature parsing guarantees the customer data has not been tampered with and originates from the enterprise client, thereby ensuring connection security.
[0109] It should be noted that the computer-readable medium described above in this disclosure can be a computer-readable signal medium or a computer-readable storage medium, or any combination of the two. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof.
[0110] In this disclosure, a computer-readable storage medium can be any tangible medium that contains or stores a program that can be used by or in connection with an instruction execution system, apparatus, or device. In this disclosure, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to: wires, optical fibers, RF (radio frequency), etc., or any suitable combination thereof.
[0111] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. The same or similar parts between the various embodiments can be referred to each other.
[0112] Although preferred embodiments of the present invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of the embodiments of the present invention.
[0113] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or terminal device that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or terminal device. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or terminal device that includes said element.
[0114] The technical solution provided by the present invention has been described in detail above. Specific examples have been used to illustrate the principle and implementation of the present invention. The description of the above embodiments is only for the purpose of helping to understand the method and core idea of the present invention. At the same time, for those skilled in the art, there will be changes in the specific implementation and application scope based on the idea of the present invention. Therefore, the content of this specification should not be construed as a limitation of the present invention.
Claims
1. An access authentication method applied to a third-party system, the third-party system comprising an enterprise client, a bank client, and at least one third-party institution client, characterized in that, The access authentication method includes the following steps: The enterprise client is controlled to receive a first message input by an enterprise user, and the first message is processed based on a first digest algorithm configured in the digital certificate of the enterprise client to obtain a first digest value; The first digest value is encrypted using the first private key of the digital certificate to obtain the first ciphertext; The first message, the first digest value, the first ciphertext, and the first public key certificate of the digital certificate are packaged into a first signature value; Send the first signature value to the bank. The bank verifies the first signature value. After determining that the first signature value comes from the enterprise client, it obtains a second signature value based on the first signature value and sends the first signature value and the second signature value to the third-party institution. The third-party institution verifies the first signature value and the second signature value, so that the third-party institution parses the second signature value to ensure that the data has not been tampered with and comes from the bank system, and parses the first signature value to ensure that the customer data has not been tampered with and comes from the enterprise client. After verification, a trust connection is established between the bank and the enterprise client.
2. The access authentication method as described in claim 1, characterized in that, The process of controlling the bank to verify the first signature value, determining that the first signature value originates from the enterprise client, obtaining a second signature value based on the first signature value, and sending the first signature value and the second signature value to the third-party institution includes the following steps: Verify whether the first signature value originates from the enterprise client; After verification, the second signature value is generated based on the first signature value; The first signature value and the second signature value are sent to the third-party organization.
3. The access authentication method as described in claim 2, characterized in that, The verification of whether the first signature value comes from the enterprise client includes the following steps: The first signature value is parsed to obtain the first message, the first digest value, the first public key certificate, and the first ciphertext. The first ciphertext is decrypted using the first public key certificate, and the digest is verified to obtain the first digest value; The first digest algorithm is used to generate a verification digest value; The verification digest value is compared with the first digest value. If they match, the authentication is successful.
4. The access authentication method as described in claim 2, characterized in that, The step of generating the second signature value based on the first signature value after verification includes the following steps: The second message is processed using a second digest algorithm to obtain a second digest value. The second message includes the first ciphertext, the first public key certificate, the first message, and the data required by the third-party organization. The second digest value is encrypted using the second private key to form the second ciphertext; The first message, the second message, the second ciphertext, and the second digest algorithm are then packaged together to form a second signature value.
5. The access authentication method as described in any one of claims 1 to 4, characterized in that, It also includes the following steps: The bank verifies whether the enterprise client has been registered with the third-party institution. If no registration has been made, the bank applies for registration for the enterprise client with the third-party institution.
6. The access authentication method according to any one of claims 1 to 4, characterized in that, It also includes the following steps: Based on the bank's determination of whether the digital certificate needs to be updated, if so, the digital certificate is updated and a new filing is applied for for the enterprise client from the third-party institution.
7. An access authentication device applied to a third-party system, the third-party system comprising an enterprise client, a bank client, and at least one third-party institution client, characterized in that, The access authentication device includes: The connection request module is configured to control the enterprise client to receive a first message input by the enterprise user, process the first message based on a first digest algorithm configured in the digital certificate of the enterprise client to obtain a first digest value; encrypt the first digest value using the first private key of the digital certificate to obtain a first ciphertext; package the first message, the first digest value, the first ciphertext, and the first public key certificate of the digital certificate into a first signature value; and send the first signature value to the bank. The verification and sending module is configured to control the bank to verify the first signature value, and after determining that the first signature value comes from the enterprise client, obtain the second signature value based on the first signature value, and send the first signature value and the second signature value to the third-party institution. The connection verification module is configured to control the third-party institution to verify the first signature value and the second signature value, so that the third-party institution can parse the second signature value to ensure that the data has not been tampered with and originates from the bank system, and parse the first signature value to ensure that the customer data has not been tampered with and originates from the enterprise client. After successful verification, a trusted connection is established between the bank and the enterprise client. Or, it may also include: The client-side filing module is configured to verify, based on the bank, whether the enterprise client has been filed with the third-party institution. If no filing has been made, the module will apply for filing for the enterprise client with the third-party institution. Or, it may also include: The certificate update module is configured to determine whether the digital certificate needs to be updated based on the bank's information. If so, the digital certificate is updated and the enterprise client is re-applied for filing with the third-party institution.
8. An electronic device, characterized in that, The electronic device includes at least one processor and a memory connected to the processor, wherein: The memory is used to store computer programs or instructions; The processor is used to execute the computer program or instructions to enable the electronic device to implement the access authentication method as described in any one of claims 1 to 6.
9. A computer-readable storage medium for use in electronic devices, characterized in that, The storage medium carries one or more computer programs that can be executed by the electronic device, thereby enabling the electronic device to implement the access authentication method as described in any one of claims 1 to 6.