A cryptography marking logic isolation method and system based on hierarchical verification

By adopting a cryptographic tagging logic isolation method and system based on hierarchical verification, the problems of missing request source identification and ambiguous permission policies are solved, realizing differentiated controlled output and security defense in multi-level collaboration scenarios, thereby improving the security and efficiency of the system.

CN122241766APending Publication Date: 2026-06-19HANGZHOU ENYE TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HANGZHOU ENYE TECHNOLOGY CO LTD
Filing Date
2025-11-20
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing verification mechanisms suffer from incomplete request source identification, ambiguous permission policy division, and a lack of effective constraints in logical isolation mechanisms. As a result, the system lacks defensive measures when facing security threats and cannot achieve differentiated and controlled output.

Method used

This paper provides a cryptographic tag logic isolation method and system based on hierarchical verification. By receiving verification requests, extracting identity tags and service provider identification codes, performing cryptographic validity verification, obtaining request source identifiers, determining permission policies, and achieving controlled output based on differentiated information return policies, a constant-time comparison algorithm is used to defend against side-channel attacks.

Benefits of technology

It enables differentiated and controlled output in multi-level collaborative scenarios, prevents unauthorized access to original identification information, enhances the system's ability to respond to security threats, and ensures information security and efficiency in cross-domain transfer.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122241766A_ABST
    Figure CN122241766A_ABST
Patent Text Reader

Abstract

This invention is a divisional application of application number 202511705112.1. It discloses a method and system for logical isolation of cryptographic tags based on hierarchical verification, deployed within a controlled internal system. Upon receiving a verification request, the system extracts the identity tag to be verified, the verification code to be verified, and the service provider identifier from the cryptographic tags. Based on a pre-set cryptographic security key, cryptographic operations are performed on the service provider identifier and the identity tag to be verified to generate a calculated verification code, which is then compared with the verification code to be verified to determine legality. If they match, the request source identifier is obtained to determine the authorization policy, and a differentiated information return policy is determined based on the association matching result of the service provider identifier. Based on this policy, differentiated controlled output is executed: for verification nodes with only routing permissions, only routing information is returned; for delivery verification nodes with full access permissions, the original identifier information is restored and returned. This achieves controlled route distribution, access control, and prevention of unauthorized access without requiring physical network isolation.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] This invention is a divisional application of application number 202511705112.1, filed on November 20, 2025, entitled "An autonomous closed-loop method, system, medium and hardware for receiving information based on cryptographic tags". Technical Field

[0002] This invention belongs to the field of information security and data processing technology, specifically relating to a cryptographic tag logic isolation method and system based on hierarchical verification. Background Technology

[0003] With the development of information technology and collaborative networks, the process of physical entity flow and digital system interaction is highly dependent on system instruction scheduling. In multi-level collaborative scenarios, it is usually necessary to verify cryptographic tokens representing identity or permissions at each flow node to ensure the security of the flow process.

[0004] However, the current verification and isolation architecture has the following pressing technical problems that need to be addressed: The lack of source identification for verification requests and the ambiguity of permission policies are problems. Existing verification mechanisms often only perform simple checks on the cryptographic token itself, lacking the extraction and association of the identity of the verification node that initiated the request (i.e., the request source identifier). In multi-party collaborative scenarios, once the token passes verification, the system often cannot achieve differentiated and controlled output based on the request source identifier, leading to the risk of unauthorized access to the original identifier information.

[0005] The logical isolation mechanism lacks an effective constraint system. In cross-domain transfers, different verification nodes should correspond to different logical isolation domains, and existing systems struggle to establish association controls between cryptographic tokens, request source identifiers, and verification nodes. This leaves the system lacking effective defenses against security threats such as time-based side-channel attacks targeting internal key information. Furthermore, the existing verification process lacks immediate blocking actions and auditing mechanisms when it detects failed legitimacy checks or abnormal association matching, failing to effectively guarantee the security of original identification information within the controlled data access boundary.

[0006] Therefore, how to establish a method and system that can both adapt to the needs of hierarchical verification and achieve reliable cryptographic legitimacy verification and logical isolation has become a technical problem that urgently needs to be solved in this field. Summary of the Invention

[0007] In view of the source identification deficiencies, ambiguous permission policy divisions, lack of effective constraint systems for logical isolation mechanisms, and security threats such as time-based side-channel attacks mentioned in the background technology, the purpose of this invention is to provide a cryptographic tagging logical isolation method and system based on hierarchical verification, so as to achieve reliable cryptographic legitimacy verification and controlled logical isolation.

[0008] To achieve the above objectives, the present invention provides the following technical solution: A first aspect of the present invention provides a cryptographic tagging logic isolation method based on hierarchical verification. This method, deployed in a controlled internal system, is characterized by comprising the following steps: Step S1, Request Reception and Parameter Extraction: Receive a verification request containing cryptographic tokens to be verified, and extract the identity token to be verified, the verification code to be verified, and the service provider identification code from the cryptographic tokens; Step S2, Cryptographic Validity Verification: Based on the preset cryptographic security key, perform cryptographic operations on the service provider identifier and the identity tag to be verified to generate a calculated verification code; compare whether the calculated verification code is consistent with the verification code to be verified to complete the validity determination of the cryptographic tag; Furthermore, when performing cryptographic operations to generate the computational verification code, the specific steps include: combining a preset interception strategy to execute a message authentication code algorithm to generate the computational verification code; Step S3, Source Matching and Policy Determination: If the legality determination is consistent, obtain the request source identifier that initiated the verification request; determine the permission policy to which the current verification node belongs based on the request source identifier, and determine the corresponding differentiated information return policy in combination with the association matching result of the service provider identifier code; Step S4, Differentiated Controlled Output: Based on the differentiated information return strategy, differentiated controlled output is performed on the cryptographic token, thereby returning the corresponding parsing result according to the permission strategy to trigger routing distribution or access control for the controlled information carrier.

[0009] Furthermore, step S4, which involves performing differentiated controlled output on the cryptographic token, specifically includes: If the permission policy indicates that the current verification node is a verification node with only routing permissions, then based on the differentiated information return policy, only routing information used for path guidance will be returned; If the permission policy indicates that the current verification node is a delivery verification node with full access permissions, then based on the differentiated information return policy, the original identification information bound to the cryptographic token is restored and returned.

[0010] Further, in step S2, when comparing whether the calculated check code matches the check code to be verified: A constant-time comparison algorithm is used to perform the comparison operation so that the execution cycle of the comparison operation does not fluctuate with changes in the input data, thereby defending against time-based side-channel attacks.

[0011] Furthermore, the controlled internal system maintains a preset correspondence between multiple verification nodes; In step S3, when determining the permission policy to which the current verification node belongs, the controlled internal system retrieves the association matching result between the service provider identifier and the request source identifier based on the preset correspondence. Only when the two satisfy the association matching rule can the corresponding permission policy be determined, so as to realize the routing distribution or access control for different verification nodes.

[0012] Optionally, the method further includes an exception handling step: If the legality determination in step S2 fails, or if no corresponding relationship satisfying the association matching rule is found in step S3, the differentiated controlled output is refused to be executed, a blocking action is triggered to terminate the current interaction operation, and an audit log record containing the request source identifier is generated.

[0013] A second aspect of the present invention provides a cryptographically marked logical isolation system based on hierarchical verification. This system is deployed within a controlled internal system and is characterized by comprising: Request receiving and parameter extraction module: used to receive a verification request containing cryptographic tokens to be verified, and extract the identity token to be verified, the verification code to be verified, and the service provider identification code from the cryptographic tokens; Cryptographic legitimacy verification module: used to perform cryptographic operations on the service provider identifier and the identity tag to be verified based on a preset cryptographic security key to generate a calculated verification code; compare the calculated verification code with the verification code to be verified to determine the legitimacy of the cryptographic tag; Furthermore, when performing cryptographic operations to generate the computational verification code, the specific steps include: combining a preset interception strategy to execute a message authentication code algorithm to generate the computational verification code; Source matching and policy determination module: When the legality determination is consistent, it is used to obtain the request source identifier that initiated the verification request; determine the permission policy to which the current verification node belongs based on the request source identifier, and determine the corresponding differentiated information return policy in combination with the association matching result of the service provider identifier code; Differentiated Controlled Output Module: Based on the differentiated information return strategy, it performs differentiated controlled output on the cryptographic token, thereby returning the corresponding parsing result according to the permission strategy, so as to trigger routing distribution or access control for the controlled information carrier.

[0014] Furthermore, the differentiated controlled output module is specifically used for: If the permission policy indicates that the current verification node is a verification node with only routing permissions, then based on the differentiated information return policy, only routing information used for path guidance will be returned; If the permission policy indicates that the current verification node is a delivery verification node with full access permissions, then based on the differentiated information return policy, the original identification information bound to the cryptographic token is restored and returned.

[0015] Furthermore, when comparing the calculated checksum with the checksum to be verified, the cryptographic validity verification module is specifically configured as follows: A constant-time comparison algorithm is used to perform the comparison operation so that the execution cycle of the comparison operation does not fluctuate with changes in the input data, thereby defending against time-based side-channel attacks.

[0016] Furthermore, the system maintains a preset correspondence between multiple verification nodes; When determining the permission policy to which the current verification node belongs, the source matching and policy determination module is specifically used for: Based on the preset correspondence, the association matching results of the service provider identifier and the request source identifier are retrieved. Only when the two satisfy the association matching rules can the corresponding permission policy be determined so as to realize the routing distribution or access control for different verification nodes.

[0017] Optionally, the system further includes an exception handling module, which is used to: If the legality determination of the cryptographic legality verification module fails, or if the source matching and policy determination module fails to find a corresponding relationship that satisfies the association matching rule, the differentiated controlled output will be refused, a blocking action will be triggered to terminate the current interaction operation, and an audit log record containing the request source identifier will be generated.

[0018] A third aspect of the present invention provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the hierarchical verification-based cryptographic tag logic isolation method as described in the first aspect of the present invention and any alternative embodiment thereof.

[0019] A fourth aspect of the present invention provides an electronic device, comprising: a memory, a processor, and a communication interface; wherein the memory stores a computer program executable on the processor; and when the processor executes the computer program, it implements the steps of the hierarchical verification-based cryptographic tag logic isolation method as described in the first aspect of the present invention and any alternative embodiment thereof.

[0020] The fifth aspect of the present invention provides a computer program product comprising a computer program / instruction that, when executed by a processor, implements the steps in the hierarchical verification-based cryptographic tag logical isolation method as described in the first aspect of the present invention and any alternative thereof.

[0021] Compared with the prior art, the present invention has the following beneficial effects: This invention addresses the issues of missing request source identification and ambiguous permission policy division in verification mechanisms. By extracting the request source identifier and combining it with the association and matching results with the service provider's identifier, controlled logical isolation is achieved within a controlled internal system. This mechanism ensures that each verification node can only obtain data of the corresponding level within its own controlled data access boundary, effectively preventing unauthorized access to the original identification information.

[0022] This invention enables differentiated and controlled output in multi-level collaborative scenarios. It allows the same cryptographic token to return differentiated and controlled outputs based on generated differentiated information at verification nodes with different permission policies. This feature satisfies the path guidance needs of verification nodes with only routing permissions while ensuring data security for delivery verification nodes with full access permissions, thus balancing cross-domain transfer efficiency with privacy isolation requirements.

[0023] A comprehensive defense mechanism encompassing cryptographic algorithms and system logic has been constructed, enhancing the system's ability to respond to security threats. In the cryptographic legitimacy verification stage, this invention effectively defends against time-based side-channel attacks targeting pre-set cryptographic security keys by employing a constant-time comparison algorithm. In the logical isolation control stage, the reliability of the verification process is improved and information security within the logical isolation domain is ensured by deploying blocking actions and anomaly handling mechanisms. Attached Figure Description

[0024] Figure 1 This is a diagram illustrating the hierarchical verification and logical isolation architecture of an embodiment of the present invention; Figure 2 This is a flowchart of the graded verification and differentiated controlled output method in an embodiment of the present invention; Figure 3 This is a flowchart of the underlying timing defense and exception handling in an embodiment of the present invention. Detailed Implementation

[0025] Before describing the specific embodiments of this application in detail, the core specific terms involved in the entire specification and claims are defined as follows to enable those skilled in the art to accurately understand the technical solutions of this application: Controlled internal system: In this application, this refers to the server-side system responsible for receiving verification requests, performing cryptographic validity checks, and implementing differentiated controlled outputs. Furthermore, the deployment form of the controlled internal system (or internal server) should not constitute a limitation on the scope of protection of this application. It can be physically deployed in a local data center of a specific group, or logically deployed in a private cloud space or a controlled virtual private cloud (VPC) exclusively rented by a specific group, as long as its data access permissions are controlled by that specific group.

[0026] Original identification information: In this application, it refers to the identity of sensitive data or objects to be protected that is controlled by the controlled internal system and has a unique binding relationship with a cryptographic token.

[0027] Cryptographic token: In this application, it refers to a data structure or credential generated by the controlled internal system, used to proxy the original identification information for transmission by external nodes, and used as the basis for legality determination and authorization matching in the verification process.

[0028] Request source identifier: In this application, it refers to the data field or logical identifier used to characterize the identity of the verification node that initiates the verification request and to serve as the basis for the permission division strategy of the controlled internal system.

[0029] Service Provider Identifier: In this application, it refers to a logical identifier or data field embedded in cryptographic tags. During hierarchical verification and logical isolation, it is used to associate and match with the request source identifier, serving as an objective basis for the controlled internal system to determine the verification node permission policy and generate differentiated information return policies.

[0030] It should be noted that the 'triggering routing distribution or access control for the controlled information carrier' described in this application, in digital systems or cross-network domain interaction scenarios, essentially implements a differentiated access control mechanism based on cryptographic tags, that is, dynamically determining the routing access or read / write access permissions of the target data according to the identity and permissions of the requesting source.

[0031] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention.

[0032] Example 1: System Overall Architecture and Hierarchical Verification of Cryptographic Symbols like Figure 1As shown, this embodiment describes a hierarchical authentication and logical isolation architecture deployed in a controlled internal system (104). The controlled internal system (104) obtains the request source identifier (101) in the authentication request (108) and combines it with the data structure in the cryptographic token (102) to achieve access control and logical isolation within the system.

[0033] Cryptographically labeled data structures: The cryptographic token (102) supports a hierarchical verification mechanism, which is composed of the service provider identifier A (103), the identity token P (109), and the verification code V (110) concatenated according to a predetermined format. Wherein: Service Provider Identifier A (103): Configured as an embedded logical identifier, a pre-established correspondence with the verification node is established in the controlled internal system (104). Logically, the service provider identifier A (103) corresponds simultaneously to both the verification node (105) with only routing permissions and the delivery verification node (106) with full access permissions. The service provider identifier A (103) solidifies the above-mentioned pre-established correspondence during the generation stage, enabling the cryptographic token (102) to serve as the core basis for dividing logical isolation domains.

[0034] Core processing module functions: The controlled internal system (104) integrates four functional modules that work together to execute a hierarchical verification pipeline: Request receiving and parameter extraction module (111): Receives verification request (108) from external circulation link (107), extracts request source identifier (101) from the verification request (108), such as terminal device identifier or source terminal identity; at the same time, extracts identity token P' (109), verification code V' (110) and service provider identifier A' (103) to be verified from cryptographic token (102).

[0035] Cryptographic legitimacy verification module (112): Based on the preset cryptographic security key (115) and the preset interception strategy (116), the message authentication code algorithm is executed on the extracted service identifier code A' (103) and the identity tag P' (109) to be verified to generate a calculated verification code (119); the calculated verification code (119) is compared with the verification code V' (110) to be verified to complete the legitimacy determination of the cryptographic tag.

[0036] Source matching and policy determination module (113): When the legality is determined to be consistent, the system retrieves the preset correspondence (117) maintained by the system based on the extracted request source identifier (101) and service provider identifier code A' (103). Based on the matching result, the system determines the permission policy applicable to the current verification node (118) and generates a differentiated information return policy (120) accordingly.

[0037] Differentiated Controlled Output Module (114): Based on the differentiated information return strategy (120), it performs output within the logically isolated domain divided by the controlled internal system. If the permission policy (118) indicates that the current request source corresponds to a verification node (105) with only routing permissions, then only the routing information used for path guidance is returned; if it corresponds to a delivery verification node (106) with full access permissions, then the original identification information bound to the cryptographic token is restored and returned.

[0038] In addition to the normal verification pipeline, to address potential security threats, the controlled internal system (104) also deploys anomaly defense mechanisms in parallel: Anomaly handling module (121): As the security defense base of the controlled internal system (104), when the cryptographic legality verification module (112) determines that it has failed, or when the source matching and policy determination module (113) fails to find a corresponding relationship that satisfies the association matching rule, this module triggers a forced blocking action to terminate the current interactive operation, refuses to execute any differentiated controlled output, and generates an audit log record containing the request source identifier (101) to ensure absolute security within the logical isolation domain.

[0039] Distributed deployment and real-time control scenarios: As an application of the above architecture in a specific scenario, the controlled internal system (104) supports the deployment of distributed verification nodes. Since the cryptographic token (102) embeds the logical association attribute of the processing level through the service provider identifier A (103), the request receiving and parameter extraction module (111) can immediately extract the request source identifier (101) and combine it with the local preset correspondence (117) when receiving the verification request (108) from the external circulation link (107) to realize the local determination of the permission policy. This application mode realizes the distributed collaboration of control logic flowing with the cryptographic token (102) by distributing the verification logic to each verification node, and ensures the security of the data access boundary without the need for physical network isolation.

[0040] In specific implementation scenarios of this invention, the controlled information carrier can take various cross-domain forms. For example, in physical entity circulation scenarios, it can manifest as a physical package or confidential container carrying cryptographic tags; in digital system interaction scenarios, it can manifest as a digital communication message encapsulated with cryptographic tags.

[0041] Example 2: Graded Validation and Differentiated Controlled Output Method like Figure 2 As shown in the figure, this embodiment elaborates on the specific method and process of the controlled internal system performing hierarchical verification of cryptographic tokens.

[0042] Regarding the verification of control and controlled output logic, the process is logically divided into the following key steps: Step S1: Request Reception and Parameter Extraction: The request reception and parameter extraction module receives a verification request containing cryptographic tokens to be verified. The system extracts the source terminal identity as the request source identifier through the communication interface. Simultaneously, the system extracts the identity token P' to be verified, the verification code V' to be verified, and the service provider identifier A' from the cryptographic tokens. The extracted data is temporarily stored within a controlled internal system as a basis for subsequent judgment.

[0043] Step S2 Cryptographic Validity Verification: The cryptographic validity verification module uses a pre-set cryptographic security key and a pre-configured interception strategy to perform message authentication code operations on the service provider identifier A' and the identity token P' to generate a calculated verification code. Subsequently, the system compares the calculated verification code with the verification code V' to be verified. During this process, the system employs a constant-time comparison algorithm to perform the comparison operation, ensuring that the execution period of the comparison operation does not fluctuate with changes in the input data, thereby defending against time-based side-channel attacks and completing the validity determination.

[0044] Step S3 Source Matching and Policy Determination: After the legality is determined to be consistent, the source matching and policy determination module retrieves the association matching results between the service provider identifier A' and the request source identifier based on a preset correspondence. Only when the two satisfy the association matching rules can the system determine the permission policy to which the current verification node belongs, and determine the corresponding differentiated information return policy accordingly.

[0045] Step S4 Differentiated Controlled Output: Based on the differentiated information return strategy generated in Step S3, the differentiated controlled output module performs differentiated controlled output on the cryptographic token. If the permission policy indicates that the request source identifier corresponds to a verification node with only routing permissions, the system only returns routing information for path guidance (201); if the permission policy indicates that the request source identifier corresponds to a delivery verification node with full access permissions, the system can restore and return the original identifier information bound to the cryptographic token (202).

[0046] Hierarchical workflow and controlled access scenarios: As a specific application of the above process in a collaborative workflow scenario, this method mechanism triggers routing distribution or access control for the controlled information carrier. In cross-domain workflow scenarios, when a tag flows through a verification node acting as a relay with only routing permissions, step S3 determines that it matches the corresponding permission policy, and step S4 only returns routing information. Even if the node attempts to resolve an unauthorized request, it cannot obtain the original identifier information. Only when the tag arrives at a delivery verification node with full access permissions can the system restore and return the original identifier information based on the matching result. This application implements hierarchical verification and access control based on logical isolation.

[0047] Example 3: Side-channel attack defense and anomaly handling steps like Figure 3 As shown in the figure, this embodiment elaborates on the handling strategy of the controlled internal system when a security risk is detected. Its core lies in the constancy of cryptographic legitimacy verification and the abnormal handling logic of the controlled internal system.

[0048] Regarding timing defense and exception handling logic: Step S301: Legality Determination and Constant-Time Comparison: During the legality determination of the cryptographic token, the controlled internal system calls a constant-time comparison algorithm. This mechanism ensures that the execution cycle of the comparison operation does not fluctuate with changes in the input data, thereby defending against time-based side-channel attacks. If the legality determination fails, or no corresponding relationship satisfying the association matching rule is found, the process proceeds to step S302 to trigger a preset exception handling step.

[0049] Step S302 Triggering anomaly handling steps: When the controlled internal system detects that the above-mentioned legality determination has failed or the corresponding relationship has not been matched, a preset anomaly handling step is triggered. This mechanism issues a processing instruction, refuses to generate differentiated information return strategy, and triggers blocking actions.

[0050] Step S303 Deny instruction generation and stop data access: As the primary response to the exception handling, the controlled internal system refuses to execute the differentiated controlled output and stops the restoration operation of the original identification information, ensuring that the original identification information is under control within the system.

[0051] Step S304: Trigger a blocking action to terminate the current operation: While refusing to execute the differentiated controlled output, the controlled internal system triggers a blocking action to terminate the current interactive operation. By stopping subsequent data transmission and response, unauthorized probing behavior is rendered ineffective, thereby preventing the leakage of original identification information.

[0052] Step S305 Generate audit log record: After the operation is completed and terminated, the controlled internal system extracts the identification information of the request source, generates an audit log record containing the request source identification, and securely stores it in the internal area. Optionally, an alarm message may be sent to the system administrator.

[0053] Security Defense Applications: As a specific application of the above mechanism in a defense scenario, the constant-time comparison algorithm defends against time-based side-channel attacks targeting pre-set cryptographic security keys. Simultaneously, the anomaly handling mechanism alters the logic of traditional systems that allow continuous attempts. Once an anomaly is detected, the system terminates the current controlled output. This application constructs a security barrier for the controlled internal system, supported by both cryptographic algorithms and system logic.

[0054] Example 4: Electronic Device Example This application also provides an electronic device that logically corresponds to the foregoing method embodiments. Specifically, the electronic device includes a processor and a memory; wherein the memory is used to store a computer program, and the processor implements the steps of the hierarchical verification-based cryptographic tag logical isolation method as described in any one of claims 1 to 6 by calling and executing the computer program stored in the memory.

[0055] It should be understood that the electronic device, as the hardware carrier for executing the aforementioned method, has internal hardware connections and operational logic that are logically consistent with the steps of the aforementioned method.

[0056] Example 5: Example of a computer-readable storage medium This application also provides a computer-readable storage medium storing a computer program thereon. When executed by a processor, the computer program implements the steps of the cryptographic tag logic isolation method based on hierarchical verification as described in any one of claims 1 to 6. The computer-readable storage medium may be non-transitory, including but not limited to disks, optical disks, flash memory, or any form of electronic storage device.

[0057] It should be noted that the electronic device provided in this application includes a processor for executing instructions stored in a memory to implement the above-described method. The processor should be understood as a logic device with computational processing capabilities, and its specific form should not constitute a limitation on the scope of protection of this application.

[0058] Furthermore, in the embodiments of this application, the aforementioned method steps can all be implemented by a computer program product. This computer program product includes a computer program / instruction that, when executed by a processor, implements the steps of any of the above method embodiments. This computer program product can be written in any combination of one or more programming languages ​​and can be distributed and deployed via network download, or stored in memory, registers, or any form of storage medium.

[0059] The above description is merely a preferred embodiment of the present invention and is not intended to limit the present invention. Those skilled in the art can make various improvements and modifications without departing from the spirit and principles of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.

Claims

1. A cryptographic tagging logical isolation method based on hierarchical verification, deployed in a controlled internal system, characterized in that, Includes the following steps: Step S1, Request Reception and Parameter Extraction: Receive a verification request containing cryptographic tokens to be verified, and extract the identity token to be verified, the verification code to be verified, and the service provider identification code from the cryptographic tokens; Step S2, Cryptographic Validity Verification: Based on the preset cryptographic security key, perform cryptographic operations on the service provider identifier and the identity token to be verified to generate a verification code; The legality of the cryptographic tag is determined by comparing whether the calculated check code matches the check code to be verified. Step S3, Source Matching and Strategy Determination: If the legality determination is consistent, obtain the request source identifier that initiated the verification request; Based on the request source identifier, the permission policy to which the current verification node belongs is determined, and combined with the association matching result of the service provider identifier code, the corresponding differentiated information return policy is determined. Step S4, Differentiated Controlled Output: Based on the differentiated information return strategy, differentiated controlled output is performed on the cryptographic token, thereby returning the corresponding parsing result according to the permission strategy to trigger routing distribution or access control for the controlled information carrier.

2. The cryptographic tag logic isolation method based on hierarchical verification according to claim 1, characterized in that, In step S2, cryptographic operations are performed to generate a verification code, specifically including: Combined with a preset interception strategy, a message authentication code algorithm is executed to generate the calculated verification code.

3. The cryptographic tag logic isolation method based on hierarchical verification according to claim 1, characterized in that, Step S4, which involves performing differentiated controlled output on the cryptographic token, specifically includes: If the permission policy indicates that the current verification node is a verification node with only routing permissions, then based on the differentiated information return policy, only routing information used for path guidance will be returned; If the permission policy indicates that the current verification node is a delivery verification node with full access permissions, then based on the differentiated information return policy, the original identification information bound to the cryptographic token is restored and returned.

4. The cryptographic tagging logic isolation method based on hierarchical verification according to claim 1, characterized in that, In step S2, when comparing whether the calculated check code matches the check code to be verified: A constant-time comparison algorithm is used to perform the comparison operation so that the execution cycle of the comparison operation does not fluctuate with changes in the input data, thereby defending against time-based side-channel attacks.

5. The cryptographic tagging logic isolation method based on hierarchical verification according to claim 1, characterized in that, The controlled internal system maintains a preset correspondence between multiple verification nodes; In step S3, when determining the permission policy to which the current verification node belongs, the controlled internal system retrieves the association matching result between the service provider identifier and the request source identifier based on the preset correspondence. Only when the two satisfy the association matching rule can the corresponding permission policy be determined, so as to realize the routing distribution or access control for different verification nodes.

6. The cryptographic tag logic isolation method based on hierarchical verification according to claim 5, characterized in that, It also includes exception handling steps: If the legality determination in step S2 fails, or if no corresponding relationship satisfying the association matching rule is found in step S3, the differentiated controlled output is refused to be executed, a blocking action is triggered to terminate the current interaction operation, and an audit log record containing the request source identifier is generated.

7. A cryptographically marked logical isolation system based on hierarchical verification, deployed in a controlled internal system, characterized in that, include: Request receiving and parameter extraction module: used to receive a verification request containing cryptographic tokens to be verified, and extract the identity token to be verified, the verification code to be verified, and the service provider identification code from the cryptographic tokens; Cryptographic legitimacy verification module: used to perform cryptographic operations on the service provider identifier and the identity tag to be verified based on a preset cryptographic security key to generate a calculated verification code; compare the calculated verification code with the verification code to be verified to determine the legitimacy of the cryptographic tag; Source matching and strategy determination module: used to obtain the request source identifier that initiated the verification request when the legality determination is consistent; Based on the request source identifier, the permission policy to which the current verification node belongs is determined, and combined with the association matching result of the service provider identifier code, the corresponding differentiated information return policy is determined. Differentiated Controlled Output Module: Based on the differentiated information return strategy, it performs differentiated controlled output on the cryptographic token, thereby returning the corresponding parsing result according to the permission strategy, so as to trigger routing distribution or access control for the controlled information carrier.

8. A cryptographic tagging logic isolation system based on hierarchical verification according to claim 7, characterized in that, The cryptographic validity verification module, when performing cryptographic operations to generate a verification code, is specifically used for: Combined with a preset interception strategy, a message authentication code algorithm is executed to generate the calculated verification code.

9. A cryptographic tagging logic isolation system based on hierarchical verification according to claim 7, characterized in that, The differentiated controlled output module is specifically used for: If the permission policy indicates that the current verification node is a verification node with only routing permissions, then based on the differentiated information return policy, only routing information used for path guidance will be returned; If the permission policy indicates that the current verification node is a delivery verification node with full access permissions, then based on the differentiated information return policy, the original identification information bound to the cryptographic token is restored and returned.

10. A cryptographic tagging logic isolation system based on hierarchical verification according to claim 7, characterized in that, The cryptographic validity verification module is specifically configured as follows when comparing the calculated checksum with the checksum to be verified: A constant-time comparison algorithm is used to perform the comparison operation so that the execution cycle of the comparison operation does not fluctuate with changes in the input data, thereby defending against time-based side-channel attacks.

11. A cryptographic tagging logic isolation system based on hierarchical verification according to claim 7, characterized in that, The system maintains a preset correspondence between multiple verification nodes; When determining the permission policy to which the current verification node belongs, the source matching and policy determination module is specifically used for: Based on the preset correspondence, the association matching results of the service provider identifier and the request source identifier are retrieved. Only when the two satisfy the association matching rules can the corresponding permission policy be determined so as to realize the routing distribution or access control for different verification nodes.

12. A cryptographic tagging logic isolation system based on hierarchical verification according to claim 11, characterized in that, It also includes an exception handling module, which is used for: If the legality determination of the cryptographic legality verification module fails, or if the source matching and policy determination module fails to find a corresponding relationship that satisfies the association matching rule, the differentiated controlled output will be refused, a blocking action will be triggered to terminate the current interaction operation, and an audit log record containing the request source identifier will be generated.

13. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the steps of the cryptographic tag logic isolation method based on hierarchical verification as described in any one of claims 1 to 6.

14. An electronic device, characterized in that, include: Memory, processor, and communication interface; The memory stores computer programs that can run on the processor. When the processor executes the computer program, it implements the steps of the cryptographic tag logic isolation method based on hierarchical verification as described in any one of claims 1 to 6.

15. A computer program product comprising a computer program / instructions, characterized in that, When the computer program / instruction is executed by the processor, it implements the steps of the cryptographic tag logic isolation method based on hierarchical verification as described in any one of claims 1 to 6.