Access key generation method and apparatus, electronic device, medium, and program product
By adding a private signature to the access key and using randomly generated content to fill the string and perform calculations using a preset algorithm, the problem of tracing the massive number of access keys on cloud platforms is solved, achieving fast and accurate traceability analysis and enhanced security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHONGQING ANT CONSUMER FINANCE CO LTD
- Filing Date
- 2025-12-08
- Publication Date
- 2026-06-19
AI Technical Summary
Cloud platforms struggle to quickly and accurately trace the ownership of massive amounts of access keys, making it difficult for security teams to respond promptly to AK and SK leaks and control the scope of their impact.
By secretly adding a private signature to the access key, and using randomly generated content to fill the string and a preset private signature algorithm to calculate, the uniqueness and verifiability of the access key are ensured by extracting and comparing the signature string.
It enables rapid and accurate source tracing and analysis of suspected leaked access keys, reduces the potential attack surface of the cloud platform key verification and signature system, enhances security, and allows security teams to independently monitor leaks, reducing the risk of misjudgment and attacks.
Smart Images

Figure CN122247633A_ABST
Abstract
Description
Technical Field
[0001] This specification relates to the field of computer technology, and in particular to an access key generation method, apparatus, electronic device, medium, and program product. Background Technology
[0002] Cloud platforms issue a large number of Access Key IDs (AKs) and Secret Access Keys (SKs), especially large public cloud platforms, large private clouds, and large dedicated clouds. From a security domain perspective, it is necessary to proactively monitor whether the services the team is protecting have had their AKs and SKs leaked on the internet. Faced with the constant stream of suspected leaked AK and SK intelligence on the internet, security teams need to quickly and accurately trace and analyze the AKs and SKs to determine whether they involve the services the team is protecting, so as to initiate emergency response as soon as possible and control the scope of impact. Summary of the Invention
[0003] This specification provides an access key generation method, apparatus, electronic device, medium, and program product. By implicitly embedding a private signature into the access key issued by this organization, it is possible to quickly and accurately trace and analyze suspected leaked access keys, effectively solving the problem of accurately determining the ownership of massive numbers of access keys under traditional methods. The above technical solution is as follows: Firstly, embodiments of this specification provide a method for generating access passwords, including: Randomly generate a fill string of a preset fill length; The second string to be calculated is obtained by combining the preset public prefix identifier, the preset private signature algorithm identifier, the preset placeholder string, and the fill string containing the above content. The preset private signature algorithm corresponding to the preset private signature algorithm identifier is invoked to calculate the second string to be calculated, and the result string is obtained. Extract a signature string of a preset signature length from the above result string based on a preset position; The aforementioned signature string is used as a private signature and inserted into the second string to be calculated to obtain the access key issued by this organization.
[0004] In one possible implementation, the above method also includes: Extract the target private signature algorithm identifier and target private signature from the access key to be traced; The target private signature algorithm corresponding to the target private signature algorithm identifier is invoked, and the calculation is performed based on the access key to be traced to obtain the target calculation result; The target computation signature in the above target computation result is compared with the above target private signature to obtain the target access key tracing result corresponding to the above access key to be traced; the above target computation signature is a string with a preset signature length corresponding to a preset position in the above target computation result; the above preset signature length is used to characterize the string length corresponding to the private signature in the access key issued by this organization.
[0005] In one possible implementation, before extracting the target private signature algorithm identifier and the target private signature from the access key to be traced, the method further includes: The above-mentioned access key to be traced is format verified to obtain the target format verification result; If the above target format verification result is that the format verification fails, then it is determined that the above access key to be traced does not belong to this organization. If the above target format verification result is that the format verification is successful, then the above steps of extracting the target private signature algorithm identifier and target private signature from the access key to be traced are performed.
[0006] In one possible implementation, the above-mentioned format verification of the access key to be traced, to obtain the target format verification result, includes: Verify whether the length of the access key to be traced is consistent with the preset access key length, and verify whether the public prefix in the access key to be traced is the preset public prefix; the preset access key length is the total length of access keys issued by this organization; the preset public prefix is the public prefix set in the access keys issued by this organization. If the length of the access key to be traced is inconsistent with the length of the preset access key, or if the public prefix identifier in the access key to be traced is not the preset public prefix identifier, then the format verification of the access key to be traced fails. If the length of the access key to be traced is the same as the length of the preset access key and the public prefix in the access key to be traced is the preset public prefix, then the format verification of the access key to be traced is confirmed to be successful.
[0007] In one possible implementation, the aforementioned call to the target private signature algorithm corresponding to the target private signature algorithm identifier, based on the aforementioned access key to be traced, calculates the target calculation result, including: Replace the target private signature in the above-mentioned access key to be traced with a preset placeholder string to obtain the first string to be calculated; the above-mentioned preset placeholder string is used to reserve the position of the private signature before the private signature is calculated during the process of issuing access keys by this organization; The target private signature algorithm corresponding to the target private signature algorithm identifier is invoked to perform calculations on the first string to be calculated, and the target calculation result is obtained.
[0008] In one possible implementation, the target computation signature in the target computation result is compared with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced, including: If the target calculated signature is consistent with the target private signature, then the access key to be traced is determined to have been issued by this organization. If the target calculated signature is inconsistent with the target private signature, then the access key to be traced is determined not to have been issued by this organization.
[0009] In one possible implementation, after comparing the target computation signature in the target computation result with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced, the method further includes: If the aforementioned access key to be traced was issued by this organization, then the access operation corresponding to the aforementioned access key to be traced is prohibited, or the access permissions corresponding to the aforementioned access key to be traced are reduced, or the preset private signature algorithm and the corresponding preset private signature algorithm identifier used by this organization in the process of issuing access keys are updated.
[0010] Secondly, embodiments of this specification provide an access key generation apparatus, the apparatus comprising: The generation module is used to randomly generate a content fill string of a preset fill length; The combination module is used to combine the preset public prefix identifier, the preset private signature algorithm identifier, the preset placeholder string, and the fill string of the above content to obtain the second string to be calculated; The second calculation module is used to call the preset private signature algorithm corresponding to the preset private signature algorithm identifier, calculate the second string to be calculated, and obtain the result string. The second extraction module is used to extract a signature string of a preset signature length from the result string based on the preset position mentioned above; The filling module is used to fill the above-mentioned signature string as a private signature into the above-mentioned second string to be calculated, so as to obtain the access key issued by this organization.
[0011] Thirdly, embodiments of this specification provide an electronic device, including: a processor and a memory; The processor is connected to the memory. The aforementioned memory is used to store executable program code; The processor reads the executable program code stored in the memory to run a program corresponding to the executable program code, so as to execute the method provided in the first aspect of the embodiments of this specification.
[0012] Fourthly, embodiments of this specification provide a computer storage medium storing a plurality of instructions adapted for loading by a processor and executing the method provided in the first aspect of embodiments of this specification.
[0013] Fifthly, embodiments of this specification provide a computer program product containing instructions that, when run on a computer or processor, cause the computer or processor to execute the access key tracing method provided in the first aspect of embodiments of this specification.
[0014] In this embodiment, the target private signature algorithm identifier and target private signature are extracted from the access key to be traced, and the target private signature algorithm corresponding to the target private signature algorithm identifier is called for calculation. Finally, the target calculated signature in the target calculation result is compared with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced. The target calculated signature is a string of a preset signature length corresponding to a preset position in the above target calculation result. The preset signature length is used to represent the string length corresponding to the private signature in the access key issued by this organization. Thus, by implicitly adding a private signature to the access key issued by this organization, the tracing analysis of suspected leaked access keys can be performed quickly and accurately, effectively solving the problem of difficulty in accurately determining the ownership of massive access keys under traditional methods. At the same time, it decouples from the cloud platform network at the network level, from the cloud platform key issuance application at the technical level, and from the cloud platform development team at the usage level, enabling the security team to independently monitor the leakage of access keys, reducing the potential attack surface of the cloud platform key verification system and enhancing the security of the cloud platform key verification system. Attached Figure Description
[0015] To more clearly illustrate the technical solutions in the embodiments of this specification, the accompanying drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0016] Figure 1 A schematic diagram of the architecture of an access key tracing system provided for an exemplary embodiment of this specification; Figure 2 A flowchart illustrating an access key tracing method provided as an exemplary embodiment of this specification; Figure 3 A flowchart illustrating another access key tracing method provided as an exemplary embodiment of this specification; Figure 4 A flowchart illustrating an access key generation method provided as an exemplary embodiment of this specification; Figure 5 A schematic diagram of an access key tracing device provided as an exemplary embodiment of this specification; Figure 6 This is a schematic diagram of the structure of an electronic device provided as an exemplary embodiment of this specification. Detailed Implementation
[0017] The technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings.
[0018] The terms "first," "second," "third," etc., used in this specification, claims, and the foregoing drawings are used to distinguish different objects, not to describe a particular order. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or apparatus that includes a series of steps or units is not limited to the listed steps or units, but may optionally include steps or units not listed, or may optionally include other steps or units inherent to such processes, methods, products, or apparatus.
[0019] It should be noted that the information (including but not limited to user device information, user personal information, etc.), data (including but not limited to data used for analysis, stored data, displayed data, etc.), and signals involved in the embodiments of this specification are all authorized by the user or fully authorized by all parties, and the collection, use, and processing of related data must comply with the relevant laws, regulations, and standards of the relevant countries and regions. For example, the access keys to be traced involved in this specification were all obtained under fully authorized circumstances.
[0020] Please refer to the following. Figure 1 This is a schematic diagram of the architecture of an access key tracing system provided in an exemplary embodiment of this specification. Figure 1 As shown, the access key tracing system may include: terminal 110 and server 120. Wherein: Terminal 110 may include one or more user terminals. One or more user-version applications may be installed on terminal 110. Terminal 110 can establish a data relationship with a network and establish a data connection with server 120 through the network, such as sending user messages and receiving recommendation responses returned by server 120. Terminal 110 may be, but is not limited to, a mobile phone, tablet computer, laptop computer, or other device with user-version applications installed.
[0021] Optionally, the terminal 110 can be the user terminal corresponding to the user who needs to perform access key tracing. The user can trigger an access key tracing request through the application on the terminal 110 and send the access key tracing request to the server 120. At the same time, the user can also view the target access key tracing result returned by the server 120 through the application.
[0022] Server 120 can be a server that can provide multiple access key traceability. Server 120 can be, but is not limited to, a hardware server, a virtual server, a cloud server, etc.
[0023] Optionally, after receiving the access key tracing request sent by the terminal 110, the server 120 may first extract the target private signature algorithm identifier and the target private signature from the access key to be traced carried in the access key tracing request; then, it may call the target private signature algorithm corresponding to the target private signature algorithm identifier to perform calculation based on the access key to be traced, and obtain the target calculation result; finally, it may compare the target calculation signature in the target calculation result with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced; the target calculation signature is a string of a preset signature length corresponding to a preset position in the target calculation result; the preset signature length is used to characterize the string length corresponding to the private signature in the access key issued by this organization.
[0024] It is understood that the above access key tracing process is not limited to being executed by the server 120, but can also be executed by the terminal 110. This specification does not specifically limit this embodiment. All the following embodiments are illustrated by the server 120 executing the above access key tracing.
[0025] The network can be a medium that provides a communication link between server 120 and terminal 110, or it can be the Internet, which includes network devices and transmission media, and is not limited thereto. The transmission media can be a wired link, such as, but not limited to, coaxial cable, fiber optic cable, and digital subscriber line (DSL), or a wireless link, such as, but not limited to, wireless fidelity (WIFI), Bluetooth, and mobile device networks.
[0026] Understandably, Figure 1The number of terminals 110 and servers 120 in the access key tracing system shown is merely an example. In a specific implementation, the access key tracing system can contain any number of terminals 110 and servers. This specification does not specifically limit this. For example, but not limited to, terminal 110 can be a terminal cluster composed of multiple terminals, and server 120 can be a server cluster composed of multiple servers.
[0027] Next, combine Figure 1 This document describes the access key tracing method provided in the embodiments of this specification. Please refer to [link / reference] for details. Figure 2 This is a flowchart illustrating an access key tracing method provided in an exemplary embodiment of this specification. Figure 2 As shown, this access key tracing method includes the following steps: S202, Extract the target private signature algorithm identifier and target private signature from the access key to be traced.
[0028] Specifically, based on the preset format definition corresponding to the access key issued by this organization, the target private signature algorithm identifier and target private signature that may be contained in the access key to be traced can be parsed. The aforementioned target private signature algorithm identifier is used to indicate the type of private signature algorithm used when generating the access key to be traced. If the access key to be traced was issued by this organization, then the target private signature should be a string obtained by signing using the target private signature algorithm corresponding to the target private signature algorithm identifier.
[0029] For example, if the preset format definition corresponding to the access key issued by this organization specifies that the private signature algorithm identifier is located in the 4th position of the access key, and the correspondence between each private signature algorithm identifier and the private signature algorithm is stored in advance, and the private signature is located in the 5th to 8th positions of the access key (preset signature position), that is, the corresponding preset signature length is 4, then during parsing, the 4th string in the access key to be traced will be extracted as the target private signature algorithm identifier corresponding to the access key to be traced, and the 5th to 8th strings in the access key to be traced will be extracted as the target private signature corresponding to the access key to be traced.
[0030] Optionally, if parsing fails or a field is missing, it can be directly determined that the access key to be traced was not issued by this organization. In this case, the system will terminate the tracing process and return a verification failure result. If parsing succeeds, the following S204 will be executed.
[0031] S204, invoke the target private signature algorithm corresponding to the target private signature algorithm identifier, calculate based on the access key to be traced, and obtain the target calculation result.
[0032] Specifically, after obtaining the target private signature algorithm identifier, the corresponding target private signature algorithm can be found based on, but is not limited to, a pre-stored correspondence between private signature algorithm identifiers and private signature algorithms. Then, the target private signature algorithm is invoked, and calculations are performed based on the access key to be traced, to obtain the target calculation result. The target calculation result includes string information processed by the target private signature algorithm. The private signature algorithm may include, but is not limited to, hash algorithms, symmetric encryption algorithms, and asymmetric encryption algorithms.
[0033] Optionally, if the target private signature algorithm corresponding to the target private signature algorithm identifier is not found in the pre-stored correspondence between private signature algorithm identifiers and private signature algorithms, it indicates that the private signature algorithm or generation method used in the generation process of the access key to be traced is not consistent with the access key issued by this organization, and it can be directly determined that the access key to be traced does not belong to the organization.
[0034] Optionally, the process of S204 above, which involves calling the target private signature algorithm corresponding to the target private signature algorithm identifier and calculating based on the access key to be traced to obtain the target calculation result, may include, but is not limited to: first, replacing the target private signature in the access key to be traced with a preset placeholder string to obtain a first string to be calculated; then, calling the target private signature algorithm corresponding to the target private signature algorithm identifier to calculate the first string to be calculated to obtain the target calculation result. The preset placeholder string is used to reserve space for the private signature position before private signature calculation during the issuance of access keys by the organization. The length of the extracted target private signature is consistent with the length of the preset placeholder string. The preset placeholder string can be, for example, but not limited to, a string of all zeros or all one characters of the preset signature length.
[0035] In the embodiments of this specification, the first string to be calculated is obtained by replacing the target private signature in the access key to be traced with a preset placeholder string. Then, the corresponding target private signature algorithm is called to calculate the first string to be calculated to obtain the target calculation result. This ensures that the calculation process is not affected by the target private signature itself, effectively avoids calculation deviations caused by different signature content, enhances the robustness and security of the traceability determination, and ensures that the ownership of the access key to be traced can be verified more accurately in the future.
[0036] S206, compare the target computation signature in the target computation result with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced. The target computation signature is a string with a preset signature length corresponding to a preset position in the target computation result. The preset signature length is used to characterize the string length corresponding to the private signature in the access key issued by this organization.
[0037] Specifically, after obtaining the target calculation result, a string of a preset signature length corresponding to a preset position will be extracted from the result. This string is the target calculated signature, which is the signature calculated based on the access key to be traced, according to the rules for issuing access keys by this organization. Then, this target calculated signature will be compared with the target private signature directly extracted from the access key to be traced. By comparing whether these two strings match, it can be determined whether the access key to be traced was issued by this organization. This organization can be, for example, but not limited to, enterprises and institutions that need to issue access keys.
[0038] Specifically, in S206 above, the process of comparing the target computation signature in the target computation result with the target private signature to obtain the traceability result of the target access key corresponding to the traceable access key may include, but is not limited to: if the target computation signature is consistent with the target private signature, it is determined that the traceable access key belongs to the organization; if the target computation signature is inconsistent with the target private signature, it is determined that the traceable access key does not belong to the organization. By comparing the consistency between the target computation signature calculated based on the traceable access key and the target private signature directly extracted from the traceable access key, it is possible to accurately identify whether the traceable access key was issued by the organization, effectively eliminating signature mutation interference and improving traceability accuracy. When the two are completely consistent, it indicates that the generation logic of the traceable access key is consistent with the generation algorithm of the access key issued by the organization, and it can be confirmed that it belongs to the organization; if they are inconsistent, it indicates that the traceable access key may have been tampered with or originated from an external illegal generation, and does not belong to the organization.
[0039] In this embodiment, the target private signature algorithm identifier and target private signature are extracted from the access key to be traced, and the target private signature algorithm corresponding to the target private signature algorithm identifier is called for calculation. Finally, the target calculated signature in the target calculation result is compared with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced. The target calculated signature is a string of a preset signature length corresponding to a preset position in the above target calculation result. The preset signature length is used to represent the string length corresponding to the private signature in the access key issued by this organization. Thus, by implicitly adding a private signature to the access key issued by this organization, the tracing analysis of suspected leaked access keys can be performed quickly and accurately, effectively solving the problem of difficulty in accurately determining the ownership of massive access keys under traditional methods. At the same time, it decouples from the cloud platform network at the network level, from the cloud platform key issuance application at the technical level, and from the cloud platform development team at the usage level, enabling the security team to independently monitor the leakage of access keys, reducing the potential attack surface of the cloud platform key verification system and enhancing the security of the cloud platform key verification system.
[0040] Please refer to the following. Figure 3 This is a flowchart illustrating another access key tracing method provided in an exemplary embodiment of this specification. Figure 3 As shown, this access key tracing method may include, but is not limited to, the following steps: S302, perform format verification on the access key to be traced to obtain the target format verification result.
[0041] Specifically, the target format verification result is used to indicate whether the access key to be traced conforms to the format specifications of the access keys issued by this organization. When verifying the format of the access key to be traced, it can be performed according to, but is not limited to, the access key format pre-defined by this organization. This access key format may include, but is not limited to, aspects such as the length of the access key, the character set, and the meaning of characters at specific positions. Through format verification, access keys that clearly do not conform to the organization's issuance specifications can be initially screened out, reducing invalid calculations in subsequent traceability processes and improving overall traceability efficiency.
[0042] Specifically, S302 above, the process of verifying the format of the access key to be traced to obtain the target format verification result, may include, but is not limited to, verifying whether the length of the access key to be traced is consistent with the preset access key length, and verifying whether the public prefix identifier in the access key to be traced is the preset public prefix identifier. The preset access key length is the total length of access keys issued by this organization, and the preset public prefix identifier is the public prefix identifier set in the access keys issued by this organization. If the length of the access key to be traced is inconsistent with the preset access key length or the public prefix identifier in the access key to be traced is not the preset public prefix identifier, then the format verification of the access key to be traced fails; if the length of the access key to be traced is consistent with the preset access key length and the public prefix identifier in the access key to be traced is the preset public prefix identifier, then the format verification of the access key to be traced passes.
[0043] The above format verification steps can quickly eliminate access keys that do not conform to the organization's issuance specifications, avoiding wasted resources in subsequent complex tracing calculations. For example, if the access keys issued by the organization are fixed at 16 characters in length and have a specific two-character public prefix, then access keys that are not 16 characters in length or whose public prefixes do not match can be directly determined to have failed format verification, eliminating the need for subsequent tracing steps.
[0044] S304. If the target format verification result is that the format verification fails, then it is determined that the access key to be traced does not belong to this organization.
[0045] Specifically, when the target format verification result is that the format verification fails, it can be directly determined that the access key to be traced was not issued by this organization, the subsequent traceability process is terminated, and the corresponding prompt information is returned.
[0046] S306, If the target format verification result is that the format verification is passed, then extract the target private signature algorithm identifier and the target private signature from the access key to be traced.
[0047] Specifically, when the target format verification result is successful, the access key to be traced is further parsed to extract the embedded target private signature algorithm identifier and target private signature portion. The above extraction process is consistent with the implementation process of S202 above, and will not be repeated here.
[0048] S308, call the target private signature algorithm corresponding to the target private signature algorithm identifier, calculate based on the access key to be traced, and obtain the target calculation result.
[0049] Specifically, S308 is the same as S204, and will not be repeated here.
[0050] S310, compare the target computation signature in the target computation result with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced. The target computation signature is a string with a preset signature length corresponding to a preset position in the target computation result. The preset signature length is used to characterize the string length corresponding to the private signature in the access key issued by this organization.
[0051] Specifically, S310 is the same as S206, and will not be repeated here.
[0052] In the embodiments described in this specification, by first verifying the format of the access keys to be traced and filtering out keys that conform to the organization's issuance specifications, and then performing subsequent tracing steps, the tracing efficiency can be effectively improved and unnecessary calculations reduced. Simultaneously, by extracting key information, calling corresponding algorithms for calculation, and comparing signatures, the tracing analysis of suspected leaked access keys can be performed quickly and accurately. This solves the problem of accurately determining the ownership of massive amounts of access keys under traditional methods, enhancing the security of the cloud platform key verification and signature system.
[0053] For example, if the access key issued by this organization has a length of 30 characters (preset access key length), a preset public prefix identifier of "ABC", a preset private signature algorithm position of the 4th character, a preset signature position of the 5th to 8th characters, and the obtained AK suspected of being leaked on the Internet is "ABC1f287c79cit2e02zj5wrcvxytv7" (access key to be traced), then it is possible to first determine, but not limited to, whether the length of the access key to be traced is 30 characters; if so, then determine whether the first to third characters of the string (public prefix identifier) are "ABC"; if so, then extract the target private signature algorithm identifier "1" in the 4th character, and the target private signature "f2" in the 5th to 8th characters. The algorithm first calculates the string "ABC10000c79cit2e02zj5wrcvxytv7" by replacing the four bits occupied by the target private signature content with the preset placeholder string "0000". Then, based on the target private signature algorithm identifier "1", the corresponding target private signature algorithm is called to calculate the first string "ABC10000c79cit2e02zj5wrcvxytv7", resulting in the target calculation result "da5cccc952f2871dc366a45e907141811803bc9f0dcf3ae97655be493041cf84". The target calculation result is then offset 10 bits (preset position) from the beginning, and the content with a preset signature length of 4 is extracted to obtain the target calculated signature "f287". Since the target's computed signature matches the directly extracted target's private signature, it is determined that the AK was issued by this organization. It is necessary to further activate the emergency response process for AK and SK leaks, and deal with the situation in a timely manner to reduce losses.
[0054] Currently, cloud service providers only fix the lengths of AK and SK when generating access keys, and set a prefix for AK to assist in AK traceability to some extent, but the accuracy is low. When someone maliciously generates a large number of AKs with specific prefixes, it will also cause trouble for users tracing the source, making it impossible to quickly verify and trace the source.
[0055] Based on this, the embodiments of this specification propose an access key generation method. Please refer to the following for details. Figure 4 This is a flowchart illustrating an access key generation method provided in an exemplary embodiment of this specification. Figure 4 As shown, the access key generation method may include, but is not limited to, the following steps: S402, randomly generate a content fill string of a preset fill length.
[0056] Specifically, the preset padding length can be set according to actual needs. Its function is to provide a basic string content for the subsequent generation of the access key. Randomly generated padding strings can increase the randomness and complexity of the access key, reducing the risk of malicious cracking or forgery. For example, with the preset padding length set to 22 bits, padding strings such as "c79cit2e02zj5wrcvxytv7" can be generated using a specific random algorithm, but are not limited to this.
[0057] S404, combine the preset public prefix identifier, the preset private signature algorithm identifier, the preset placeholder string, and the content filling string to obtain the second string to be calculated.
[0058] Specifically, a preset public prefix identifier can be placed at the beginning of the access key. This preset public prefix identifier identifies the organization to which the access key belongs. A preset private signature algorithm identifier indicates the algorithm type used for subsequent private signature calculation. The preset public prefix identifier, preset private signature algorithm identifier, preset placeholder string, and content padding string are combined sequentially to form the second string to be calculated for the private signature. For example, if the preset public prefix identifier is "ABC", the preset private signature algorithm identifier is "1", and the preset placeholder string is "0000", combined with the previously generated content padding string, the second string to be calculated is "ABC10000c79cit2e02zj5wrcvxytv7".
[0059] S406, call the preset private signature algorithm corresponding to the preset private signature algorithm identifier to calculate the second string to be calculated and obtain the result string.
[0060] For example, the preset private signature algorithm SHA256, which corresponds to the preset private signature algorithm identifier "1", can be invoked to calculate the second string to be calculated, "ABC10000c79cit2e02zj5wrcvxytv7", resulting in the string "da5cccc952f2871dc366a45e907141811803bc9f0dcf3ae97655be493041". cf84".
[0061] S408, Extract a signature string of a preset signature length from the result string based on a preset position.
[0062] For example, the result string is offset by 10 positions (preset position) from the beginning and the content of the preset signature length 4 is extracted to obtain the signature string "f287".
[0063] S410, the signature string is used as a private signature to fill the second string to be calculated, thus obtaining the access key issued by this organization.
[0064] Specifically, the signature string is used as the private signature to replace the preset placeholder string in the second string to be calculated, thus obtaining the access key issued by this organization.
[0065] For example, the signature string "f287" replaces the pre-defined placeholder string "0000" in the second string to be calculated, "ABC10000c79cit2e02zj5wrcvxytv7", to generate the final access key "ABC1f287c79cit2e02zj5wrcvxytv7". This key is unique and verifiable, identifying the source organization and ensuring content integrity through a private signature. Each generation relies on random padding and algorithmic computation, significantly improving the key's security strength, effectively preventing mass guessing or reverse engineering, and ensuring secure transmission and authentication in complex network environments.
[0066] Understandably, to facilitate efficient access key tracing, access keys issued by the same organization all employ a unified preset public prefix identifier, a preset private signature algorithm identifier, and a unified preset placeholder string when calculating the private signature. This ensures consistency in key format and calculation logic for access keys issued by the same organization. Through unified identifiers and algorithm standards, the origin of the key can be quickly identified, improving inter-system collaboration efficiency and security verification capabilities.
[0067] In some possible embodiments, if it is verified that the access key to be traced was issued by the organization, the organization may, but is not limited to, prohibit responding to access operations corresponding to the access key, or reduce the access permissions corresponding to the access key, or update the preset private signature algorithm and corresponding preset private signature algorithm identifier used in the organization's issuance of access keys, and recalculate the private signature portion of historically issued access keys to maintain compatibility and prevent legitimate keys from becoming invalid due to algorithm upgrades. Simultaneously, the updated preset private signature algorithm identifier will be synchronized to all key generation nodes within the organization to ensure consistent issuance. A transitional verification mechanism can be set for older access keys, allowing them to complete authentication through additional verification paths within a limited time, gradually achieving a smooth migration. This mechanism balances security and availability, preventing systemic risks from algorithm leakage while ensuring business continuity, further enhancing the robustness of the access control system.
[0068] Please refer to the following. Figure 5 This is a schematic diagram of an access key tracing device provided in an exemplary embodiment of this specification. Figure 5 As shown, the access key tracing device 500 includes: The first extraction module 510 is used to extract the target private signature algorithm identifier and the target private signature from the access key to be traced. The first calculation module 520 is used to call the target private signature algorithm corresponding to the target private signature algorithm identifier, perform calculations based on the access key to be traced, and obtain the target calculation result. The signature verification module 530 is used to compare the target computation signature in the target computation result with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced; the target computation signature is a string with a preset signature length corresponding to a preset position in the target computation result; the preset signature length is used to characterize the string length corresponding to the private signature in the access key issued by this organization.
[0069] In one possible implementation, the access key tracing device 500 further includes: The format verification module is used to verify the format of the above-mentioned access key to be traced and obtain the target format verification result. The first determining module is used to determine that the above-mentioned access key to be traced does not belong to this organization if the above-mentioned target format verification result is that the format verification fails. The second determining module is used to perform the steps of extracting the target private signature algorithm identifier and the target private signature from the access key to be traced if the target format verification result is that the format verification is passed.
[0070] In one possible implementation, the above format validation module is specifically used for: Verify whether the length of the access key to be traced is consistent with the preset access key length, and verify whether the public prefix in the access key to be traced is the preset public prefix; the preset access key length is the total length of access keys issued by this organization; the preset public prefix is the public prefix set in the access keys issued by this organization. If the length of the access key to be traced is inconsistent with the length of the preset access key, or if the public prefix identifier in the access key to be traced is not the preset public prefix identifier, then the format verification of the access key to be traced fails. If the length of the access key to be traced is the same as the length of the preset access key and the public prefix in the access key to be traced is the preset public prefix, then the format verification of the access key to be traced is confirmed to be successful.
[0071] In one possible implementation, the first computing module 520 is specifically used for: Replace the target private signature in the above-mentioned access key to be traced with a preset placeholder string to obtain the first string to be calculated; the above-mentioned preset placeholder string is used to reserve the position of the private signature before the private signature is calculated during the process of issuing access keys by this organization; The target private signature algorithm corresponding to the target private signature algorithm identifier is invoked to perform calculations on the first string to be calculated, and the target calculation result is obtained.
[0072] In one possible implementation, the signature verification module 530 described above is specifically used for: If the target calculated signature is consistent with the target private signature, then the access key to be traced is determined to have been issued by this organization. If the target calculated signature is inconsistent with the target private signature, then the access key to be traced is determined not to have been issued by this organization.
[0073] In one possible implementation, the access key tracing device 500 further includes: The generation module is used to randomly generate a content fill string of a preset fill length; The combination module is used to combine the preset public prefix identifier, the preset private signature algorithm identifier, the preset placeholder string, and the fill string of the above content to obtain the second string to be calculated; The second calculation module is used to call the preset private signature algorithm corresponding to the preset private signature algorithm identifier, calculate the second string to be calculated, and obtain the result string. The second extraction module is used to extract a signature string of a preset signature length from the result string based on the preset position mentioned above; The filling module is used to fill the above-mentioned signature string as a private signature into the above-mentioned second string to be calculated, so as to obtain the access key issued by this organization.
[0074] In one possible implementation, the access key tracing device 500 further includes: The emergency response module is used to, if the access key to be traced belongs to this organization, prohibit the response to the access operation corresponding to the access key to be traced, or reduce the access permissions corresponding to the access key to be traced, or update the preset private signature algorithm and the corresponding preset private signature algorithm identifier used by this organization in the process of issuing the access key.
[0075] The division of modules in the above-described access key tracing device is for illustrative purposes only. In other embodiments, the access key tracing device can be divided into different modules as needed to complete all or part of the functions of the access key tracing device. The implementation of each module in the access key tracing device provided in the embodiments of this specification can be in the form of a computer program. This computer program can run on a terminal or server. The program modules constituted by this computer program can be stored in the memory of the terminal or server. When the computer program is executed by a processor, it implements all or part of the steps of the access key tracing method described in the embodiments of this specification.
[0076] Please refer to the following. Figure 6 , Figure 6 This is a schematic diagram of the structure of an electronic device provided as an exemplary embodiment of this specification. For example... Figure 6 As shown, the electronic device 600 may include: at least one processor 610, at least one communication bus 620, a user interface 630, at least one network interface 640, and a memory 650. The communication bus 620 can be used to enable communication between the aforementioned components.
[0077] The user interface 630 may include a display screen and a camera. Optionally, the user interface 630 may also include a standard wired interface and a wireless interface.
[0078] The network interface 640 may optionally include a Bluetooth module, a Near Field Communication (NFC) module, a Wireless Fidelity (Wi-Fi) module, etc.
[0079] The processor 610 may include one or more processing cores. The processor 610 connects to various parts within the electronic device 600 using various interfaces and lines, and performs various functions and processes data by running or executing instructions, programs, code sets, or instruction sets stored in the memory 650, and by calling data stored in the memory 650. Optionally, the processor 610 may be implemented using at least one hardware form of Digital Signal Processing (DSP), Field-Programmable Gate Array (FPGA), or Programmable Logic Array (PLA). The processor 610 may integrate one or a combination of several of the following: a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), and a modem. The CPU primarily handles the operating system, user interface, and applications; the GPU is responsible for rendering and drawing the content required for display; and the modem handles wireless communication. It is understood that the modem may also be implemented as a separate chip without being integrated into the processor 610.
[0080] The memory 650 may include random access memory (RAM) or read-only memory (ROM). Optionally, the memory 650 may include a non-transitory computer-readable medium. The memory 650 may be used to store instructions, programs, code, code sets, or instruction sets. The memory 650 may include a program storage area and a data storage area, wherein the program storage area may store instructions for implementing an operating system, instructions for at least one function (such as access key tracing function, access key generation function, etc.), instructions for implementing the above-described method embodiments, etc.; the data storage area may store data involved in the above-described method embodiments, etc. Optionally, the memory 650 may also be at least one storage device located remotely from the aforementioned processor 610. Figure 6 As shown, the memory 650, which serves as a computer storage medium, may include an operating system, a network communication module, a user interface module, and application programs.
[0081] Specifically, the processor 610 can be used to call the application stored in the memory 650 and perform the following operations: Extract the target private signature algorithm identifier and target private signature from the access key to be traced; call the target private signature algorithm corresponding to the target private signature algorithm identifier, and calculate based on the access key to be traced to obtain the target calculation result; compare the target calculated signature in the target calculation result with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced; the target calculated signature is a string with a preset signature length corresponding to a preset position in the target calculation result; the preset signature length is used to characterize the string length corresponding to the private signature in the access key issued by this organization.
[0082] In some possible embodiments, before the processor 610 performs the above-described extraction of the target private signature algorithm identifier and target private signature from the access key to be traced, it is also configured to perform: The above-mentioned access key to be traced is format verified to obtain the target format verification result; if the above-mentioned target format verification result is that the format verification fails, it is determined that the above-mentioned access key to be traced does not belong to the organization; if the above-mentioned target format verification result is that the format verification passes, the above-mentioned steps of extracting the target private signature algorithm identifier and the target private signature from the access key to be traced are performed.
[0083] In some possible embodiments, when the processor 610 performs the above-mentioned format verification of the access key to be traced and obtains the target format verification result, it is specifically used to perform: Verify whether the length of the access key to be traced is consistent with the preset access key length, and verify whether the public prefix identifier in the access key to be traced is the preset public prefix identifier; the preset access key length is the total length of access keys issued by this organization; the preset public prefix identifier is the public prefix identifier set in the access keys issued by this organization; if the length of the access key to be traced is inconsistent with the preset access key length or the public prefix identifier in the access key to be traced is not the preset public prefix identifier, then the verification of the access key format to be traced fails; if the length of the access key to be traced is consistent with the preset access key length and the public prefix identifier in the access key to be traced is the preset public prefix identifier, then the verification of the access key format to be traced passes.
[0084] In some possible embodiments, when the processor 610 executes the above-mentioned call to the target private signature algorithm corresponding to the target private signature algorithm identifier, and calculates based on the access key to be traced to obtain the target calculation result, it is specifically used to perform: Replace the target private signature in the aforementioned access key to be traced with a preset placeholder string to obtain the first string to be calculated; the aforementioned preset placeholder string is used to reserve the private signature position before the private signature is calculated during the process of issuing access keys by this organization; call the target private signature algorithm corresponding to the aforementioned target private signature algorithm identifier to calculate the aforementioned first string to be calculated to obtain the target calculation result.
[0085] In some possible embodiments, when the processor 610 performs the above-mentioned comparison of the target computation signature in the target computation result with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced, it is specifically used to perform the following: If the target calculated signature is consistent with the target private signature, then the access key to be traced is determined to have been issued by this organization; if the target calculated signature is inconsistent with the target private signature, then the access key to be traced is determined not to have been issued by this organization.
[0086] In some possible embodiments, the processor 610 described above is also used to perform: A content padding string of a preset length is randomly generated; the preset public prefix identifier, the preset private signature algorithm identifier, the preset placeholder string, and the aforementioned content padding string are combined to obtain a second string to be calculated; the preset private signature algorithm corresponding to the aforementioned preset private signature algorithm identifier is called to calculate the aforementioned second string to be calculated, and a result string is obtained; a signature string of a preset signature length is extracted from the aforementioned result string based on the aforementioned preset position; the aforementioned signature string is used as a private signature to fill the aforementioned second string to be calculated, thereby obtaining the access key issued by this organization.
[0087] In some possible embodiments, after the processor 610 performs the above-mentioned comparison of the target computation signature in the target computation result with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced, it is further configured to perform: if the access key to be traced is issued by the organization, then prohibit the response to the access operation corresponding to the access key to be traced, or reduce the access permission corresponding to the access key to be traced, or update the preset private signature algorithm and the corresponding preset private signature algorithm identifier used in the process of issuing the access key by the organization.
[0088] This specification also provides a computer-readable storage medium storing instructions that, when executed on a computer or processor, cause the computer or processor to perform one or more steps in the above embodiments. If the constituent modules of the above-described access key tracing device are implemented as software functional units and sold or used as independent products, they can be stored in the above-described computer-readable storage medium.
[0089] In the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer instructions. When these computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this specification are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in or transmitted through a computer-readable storage medium. The computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired means, such as coaxial cable, fiber optic cable, Digital Subscriber Line (DSL), or wireless means (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium accessible to a computer or a data storage device such as a server or data center that integrates one or more available media. The aforementioned available media can be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., Digital Versatile Discs, DVDs), or semiconductor media (e.g., Solid State Disks, SSDs).
[0090] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. This program can be stored in a computer-readable storage medium, and when executed, it can include the processes of the embodiments of the methods described above. The aforementioned storage medium includes various media capable of storing program code, such as ROM, RAM, magnetic disks, or optical disks. Unless otherwise specified, the technical features of this embodiment and its implementation can be combined arbitrarily.
[0091] The embodiments described above are merely preferred embodiments of this specification and are not intended to limit the scope of this specification. Any modifications and improvements made to the technical solutions of this specification by those skilled in the art without departing from the spirit of this specification should fall within the protection scope defined by the claims.
[0092] The foregoing has described specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recorded in the claims and specification may be performed in a different order than in the embodiments described in the specification and still achieve the desired results. Furthermore, the processes depicted in the drawings do not necessarily require the specific or sequential order shown to achieve the desired results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Claims
1. A method for generating an access key, the method comprising: Randomly generate a fill string of a preset fill length; The second string to be calculated is obtained by combining the preset public prefix identifier, the preset private signature algorithm identifier, the preset placeholder string, and the content filling string. The preset private signature algorithm corresponding to the preset private signature algorithm identifier is invoked to calculate the second string to be calculated, and the result string is obtained; A signature string of a preset signature length is extracted from the result string based on a preset position; the preset signature length is used to characterize the string length corresponding to the private signature in the access key issued by this organization; The signature string is used as a private signature to fill the second string to be calculated, thus obtaining the access key issued by this organization.
2. The method of claim 1, further comprising: Extract the target private signature algorithm identifier and target private signature from the access key to be traced; The target private signature algorithm corresponding to the target private signature algorithm identifier is invoked, and the target calculation result is obtained based on the access key to be traced. The target computation signature in the target computation result is compared with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced. The target calculated signature is a string of a preset signature length corresponding to a preset position in the target calculated result.
3. The method as described in claim 2, wherein calling the target private signature algorithm corresponding to the target private signature algorithm identifier, and calculating based on the access key to be traced to obtain the target calculation result, includes: Replace the target private signature in the access key to be traced with a preset placeholder string to obtain the first string to be calculated; The preset placeholder string is used to reserve the private signature position before the private signature is calculated during the process of issuing access keys by this organization; The target private signature algorithm corresponding to the target private signature algorithm identifier is invoked to perform calculations on the first string to be calculated, and the target calculation result is obtained.
4. The method as described in claim 2, wherein before extracting the target private signature algorithm identifier and the target private signature from the access key to be traced, the method further includes: The format of the access key to be traced is verified to obtain the target format verification result; If the target format verification result is that the format verification fails, then it is determined that the access key to be traced does not belong to this organization. If the target format verification result is that the format verification is successful, then the step of extracting the target private signature algorithm identifier and the target private signature from the access key to be traced is executed.
5. The method as described in claim 4, wherein performing format verification on the access key to be traced to obtain a target format verification result includes: Verify whether the length of the access key to be traced is consistent with the preset access key length, and verify whether the public prefix identifier in the access key to be traced is the preset public prefix identifier; the preset access key length is the total length of access keys issued by this organization; The preset public prefix identifier is a public prefix identifier set in the access key issued by this organization; If the length of the access key to be traced is inconsistent with the preset access key length or the public prefix identifier in the access key to be traced is not the preset public prefix identifier, then the format verification of the access key to be traced fails. If the length of the access key to be traced is the same as the preset access key length and the public prefix identifier in the access key to be traced is the preset public prefix identifier, then the format verification of the access key to be traced is determined to be successful.
6. The method as described in claim 2, wherein comparing the target computation signature in the target computation result with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced includes: If the target computed signature is consistent with the target private signature, then the access key to be traced is determined to have been issued by this organization. If the target computed signature is inconsistent with the target private signature, then the access key to be traced is determined not to have been issued by this organization.
7. The method as described in claim 2, wherein after comparing the target computation signature in the target computation result with the target private signature to obtain the target access key tracing result corresponding to the access key to be traced, the method further includes: If the access key to be traced belongs to this organization, then the access operation corresponding to the access key to be traced is prohibited, or the access permission corresponding to the access key to be traced is reduced, or the preset private signature algorithm and the corresponding preset private signature algorithm identifier used in the process of issuing the access key by this organization are updated.
8. An access key generation apparatus, the apparatus comprising: The generation module is used to randomly generate a content fill string of a preset fill length; The combination module is used to combine the preset public prefix identifier, the preset private signature algorithm identifier, the preset placeholder string, and the fill string of the above content to obtain the second string to be calculated; The second calculation module is used to call the preset private signature algorithm corresponding to the preset private signature algorithm identifier, calculate the second string to be calculated, and obtain the result string. The second extraction module is used to extract a signature string of a preset signature length from the result string based on the preset position; The filling module is used to fill the signature string as a private signature into the second string to be calculated, so as to obtain the access key issued by the organization.
9. An electronic device comprising: Processor and memory; The processor is connected to the memory; The memory is used to store executable program code; The processor runs a program corresponding to the executable program code stored in the memory to perform the method as described in any one of claims 1-7.
10. A computer storage medium storing a plurality of instructions adapted for loading by a processor and executing the steps of the method as claimed in any one of claims 1-7.
11. A computer program product comprising instructions that, when run on a computer or processor, causes the computer or processor to perform the access key tracing method as described in any one of claims 1-7.