The application claims the priority of Chinese Patent Application No. 201510977455.3, titled “CLIENT APPARATUS, SERVER APPARATUS AND ACCESS CONTROL SYSTEM FOR AUTHORIZED ACCESS”, filed on Dec. 23, 2015 with the State Intellectual Property Office of People's Republic of China, which is incorporated herein by reference in its entirety.
The present disclosure relates to the field of information security and access control technology, and in particular to a client device, a server device, and an access control system for achieving secure authorized access by using a decentralized public database, and a method thereof.
Access control is a mechanism related to all of computer systems regardless of the types of the computer systems, such as a client/server system, a client/browser system, or a cloud system. The access control includes the simplest username/password, a widely-used authentication code/validation code (CAPTCHA), as well as the currently widely-used SMS verification code and hardware-based UKey, and the like, wherein both the SMS verification code and the require supports by an external device. The most important part of the access control process is to confirm the authenticity and validity of an access application. With the determination of authenticity and validity, some network attacks, such as replay attacks and man-in-the-middle attacks, can be effectively resisted, thereby reducing the risk of denial-of-service attacks.
A brief overview of the present disclosure is given below so as to provide a basic understanding of certain aspects of the present disclosure. However, it is to be understood that this summary is not an exhaustive overview of the present disclosure. It is neither intended to determine the critical part or the important part of the present disclosure, nor intended to limit the scope of the present disclosure. The purpose thereof is merely to give some concepts of the present disclosure in a simplified form as a prelude to the more detailed description made later.
In view of the above problems, an object of the present disclosure is to provide a client device, a server device, and an access control system for authorized access that can effectively resist some network attacks, and a method thereof.
According to an aspect of the present disclosure, a client device for authorized access is provided, which includes: a request generating unit, a recording unit and an accessing unit. The request generating unit is configured to generate a request for authorized access to protected resources and send the request to a server device. The recording unit is configured to record the request in a public database which is a decentralized, distributed database and in which records cannot be modified. The accessing unit is configured to perform corresponding operations for accessing the protected resources utilizing response information sent by the server device in response to the request.
According to a preferred embodiment of the present disclosure, the public database includes blockchain.
According to another preferred embodiment of the present disclosure, the request generating unit is further configured to sign the request utilizing a client private key and send the signed request to the server device, and the recording unit is further configured to record the signed request in the public database.
According to another preferred embodiment of the present disclosure, the request generating unit is further configured to send location information of the request in the public database to the server device.
According to another preferred embodiment of the present disclosure, the accessing unit is further configured to verify a record of the response information in the public database utilizing a server public key, and to perform the corresponding operations according to a result of the verifying.
According to another preferred embodiment of the present disclosure, the server device includes an authorization server and a resource server.
According to another preferred embodiment of the present disclosure, the request includes a request for an authorization access credential sent to the authorization server, and the response information includes the authorization access credential from the authorization server.
According to another preferred embodiment of the present disclosure, the authorization access credential includes limitation information related to the protected resources.
According to another preferred embodiment of the present disclosure, the limitation information includes an identifier of a manager for the protected resources, resources which are allowed to be accessed by the client device and a valid period of the authorization access credential.
According to another preferred embodiment of the present disclosure, the limitation information further includes setting of accessing times within the valid period, and the accessing unit performs the corresponding operations for accessing the protected resources according to the setting of accessing times.
According to another preferred embodiment of the present disclosure, the request includes a data accessing request sent to the resource sever, and the response information includes data resources from the resource server.
According to another preferred embodiment of the present disclosure, the authorization server and the resource sever are the same server.
According to another aspect of the present disclosure, a server device for authorized access is further provided, which includes: a response generating unit and a recording unit. The response generating unit is configured to generate corresponding response information in response to a request for authorized access to protected resources from a client device and send the response information to the client device. The recording unit is configured to record the response information in a public database which is a decentralized distributed database and in which records cannot be modified.
According to another aspect of the present disclosure, an access control system for authorized access is further provided, which includes a client device, a server device and a public database. The public database is a decentralized, distributed database and records in the public database cannot be modified. The client device includes a request generating unit, a first recording unit and an access unit. The request generating unit is configured to generate a request for authorized access to protected resources and send the request to the server device. The first recording unit is configured to record the request in the public database. The accessing unit is configured to perform corresponding operations for accessing the protected resources utilizing response information sent by the server device in response to the request. The server device includes a response generating unit and a second recording unit. The response generating unit is configured to generate corresponding response information in response to the request and send the response information to the client device. The second recording unit is configured to record the response information in the public database.
According to another aspect of the present disclosure, a method for authorized access performed at a client device is further provided, which includes: generating a request for authorized access to protected resources and sending the request to a server device; recording the request in a public database which is a decentralized distributed database and in which records cannot be modified; and performing corresponding operations for accessing the protected resources utilizing response information sent by the server device in response to the request.
According to another aspect of the present disclosure, a method for authorized access performed at a server device is further provided, which includes: generating corresponding response information in response to a request for authorized access to protected resources from a client device and sending the response information to the client device; and recording the response information in a public database which is a decentralized distributed database and in which records cannot be modified.
According to another aspect of the present disclosure, an electronic device is further provided, which may include a transceiver and one or more processors. The one or more processors may be configured to perform the above-described method for authorized access according to the present disclosure.
According to other aspects of the present disclosure, there are also provided a computer program code and a computer program product for implementing the above-described method according to the present disclosure, and a computer readable storage media on which the computer program code for implementing the above-described method according to the present disclosure is recorded.
According to embodiments of the present disclosure, the secure authorized access to protected resources may be achieved effectively utilizing a decentralized public database.
Other aspects of the embodiments of the present disclosure are given in the following description, in which the detailed description is used for fully disclosing, without limiting, preferred embodiments of the disclosed disclosure.
The present disclosure may be better understood with reference to the detailed description given below in conjunction with the drawings, in which the same or like reference numerals are used throughout the drawings to refer to the same or like parts. The drawings, together with the following detailed description, are included in this specification and form a part of this specification, and are used to further exemplify preferred embodiments of the present disclosure and to explain the principles and advantages of the present disclosure. In the drawings:
Hereinafter, the demonstrative embodiments of the disclosure will be described in conjunction with the drawings. For clarity and brief, not all the features of the practical embodiments are described in the specification. However, it is to be understood that, many decisions specific to the embodiment must be made during the development of any one of the practical embodiments, so as to achieve the specific object of the developer, for example, coinciding with limiting conditions related to the system and service, and possibly changing the limiting conditions with different embodiments. Moreover, it is to be understood that, although the developing work may be very complicated and time-consuming, but is only a routine task for those skilled in the art benefit from the disclosure.
It is further to be noted here that, to avoid obscuring the present disclosure due to unnecessary details, only the device structure and/or processing step closely related to the solution of the present disclosure are shown in the drawings, and other details less related to the present disclosure are omitted.
Next, embodiments of the present disclosure will be described in detail with reference to
As shown in
In the embodiment according to the present disclosure, in order to ensure secure access by the client device 200 to protected resources, key operations of the client device 200 and the server device 300 during the authorized access process may be respectively recorded in the public database 100. Since the public database 100 is a decentralized, distributed database and the data in the public database cannot be modified or deleted once being recorded, it helps to defend against network attacks and achieve secure access control. In the following, functional configuration examples of the client device 200 and the server device 300 will be described in detail with reference to
As shown in
The request generating unit 210 may be configured to generate a request for authorized access to protected resources and send the request to the server device 300.
The recording unit 220 may be configured to record the above-described request in the public database 100.
The accessing unit 230 may be configured to perform corresponding operations for accessing the protected resources utilizing response information sent by the server device 300 in response to the request.
Preferably, in order to enhance the security, the request generating unit 210 may further sign the request utilizing a private key in the identity key pair (including a private key (denoted as SK) and a public key (denoted as PK)) generated by a key generation center for the client device 200, and send the signed request to the server device 300. The recording unit 220 may record the signed request in the public database 100. For example, this process may be expressed by the following expression (1):
Record1=SignSK of Client(Hash(Request)) (1)
where Request represents a request from the client device, SK of Client represents a private key of the client device 200, Hash( ) represents the Hash function, SignSK of Client represents signing utilizing the private key of the client device 200, and Record1 represents a record of the signed request in the public database.
Preferably, the request generating unit 210 may further send location information (herein denoted as Addr1, for example) of the above-described request recorded in the public database to the server device 300. In this way, the server device 300 can search the public database 100 for a record (Record1 described above) of the signed request in the public database 100 based on the received location information, and verify the authenticity of the request from the client device 200 utilizing the public key of the client device 200. For example, this verification process may be expressed by the following expression (2):
Addr1→Record1
Verify(Record1)=VerifyPK of Client(Record1)=?Hash(Request) (2)
where Verify( ) represents the adopted verification function, and PK of Client represents a public key of the client device 200.
Then, for the request that is verified as reasonable, the server device 300 may generate corresponding response information (herein denoted as Response) to send to the client device 200, and may further record the response information in the public database 100. Preferably, in order to further ensure security, the server device 300 may also sign the response information utilizing the server private key, send the signed response information to the client device 200, and record the signed response information in the public database 100. For example, this process may be expressed by the following expression (3):
Record2−SignSK of Server(Hash(Response)) (3)
where Response represents the response information generated by the server device, SK of Server represents a private key of the server device 300, Hash( ) represents the Hash function, SignSK of Server represents signing utilizing the private key of the server device 300, and Record2 represents a record of the signed response information in the public database 100.
Further, similar to the above-described configuration, the server device 300 may also send location information (here denoted as Addr2, for example) of the signed response information in the public database to the client device 200, so that the accessing unit 230 of the client device 200 can search the public database 100 for a record of the signed response information in the public database 100 based on the received location information, verify the record by utilizing the server public key, and perform corresponding operations according to a result of the verifying. For example, this process may be expressed by the following expression (4):
Addr2→Record2
Verify(Record2)=VerifyPK of Server(Record2)=?Hash(Response) (4)
where Verify( ) represents the adopted verification function, and PK of Server represents a public key of the server device 300.
The functional configuration example of the client device for authorized access has been described above with reference to
As shown in
The response generating unit 310 may be configured to generate corresponding response information in response to a request for authorized access to protected resources from a client device and send the response information to the client device 200.
Preferably, as described above, the response generating unit 310 may verify a record of the request from the client device 200 in the public database (i.e., the above-described record Record1) by utilizing a client public key (i.e., the above-described PK of Client), and generate response information (i.e., Response) according to a result of the verifying. This process may be expressed by the above-described expression (2), for example.
The recording unit 320 may be configured to record the response information in the public database 100.
Preferably, as described above, the response generating unit 310 may further be configured to sign the response information utilizing the server private key and send the signed response information to the client device 200. The recording unit 320 may further be configured to record the signed response information in the public database 100. The process may be expressed by the above-described expression (3), for example. Further, the response generating unit 310 may further send location information (i.e., the above-described Addr2) of the response information in the public database to the client device 200.
It should be understood that, the functional configuration example of the server device 300 corresponds to the functional configuration example of the above-described client device 200. Hence, for the contents not described in detail here, one may refer to the description of the corresponding portions above, which will not be repeated here.
In order to facilitate understanding the implementation of the above-described authorized access, an interaction process between the client device 200, the server device 300, and the public database 100 for authorized access will be described below with reference to
As shown in
It should be understood that the above-described interaction process is only an example rather than a limitation, and the order of execution of the various steps as shown is merely for convenience of description rather than for limitation. According to requirements, some steps may be performed in parallel or in a varied order.
As can be seen from the above-described process, the interaction process between the client device 200 and the server device 300 is recorded in the public database 100 which is a decentralized, distributed database and records in which cannot be modified (that is, the records cannot be deleted and/or altered), and therefore network attacks can be effectively resisted by signing the interaction process utilizing the client private key and the server private key respectively and recording the same in the public database. Here, it should be noted that, since the public database 100 is a distributed database shared by all network entities, theoretically if more than half or more than two thirds of the network entities agree to modify the data records in the public database, the records in the public database can be allowed to be modified. However, in practice, it is difficult to make more than half or more than two thirds of network entities agree to modify the data records. Therefore, it is generally considered that the data in the public database cannot be altered or deleted once it is recorded.
Preferably, as an example, the above public database may include blockchain. Blockchain is regarded as the main technological innovation supporting Bitcoin. Since blockchain is used to prove all transactions in the network as a certification mechanism that requires no trust, blockchain is a “non-trust-based” architecture. The “non-trust-based” architecture means that multiple participants in the entire system can complete various types of transactions and collaboration without trusting each other. This has always been the weakest part of the traditional Internet so far. In contrast to a case where users are required to establish and maintain trust with counterparties (others) or third-party agencies (such as banks), users can trust a public accounting system maintained by the “miner-accountants” and stored in a to number of different decentralized nodes around the world. Blockchain is a key innovation as the architecture of a new decentralized, non-trust-based trading system. The blockchain allows performing all decentralized transactions of any type without intervention between any entities in the world. The blockchain functions like another application layer running on the existing stack of the Internet Protocol, which adds a completely new layer to the Internet to carry out economic transactions, including an instant digital currency payment (in the case of a wide use of cryptocurrencies around the world) and a longer-term, more complex economic contract. Any currency, economic contract, hard assets or soft assets can be traded by a blockchain system. Further, the blockchain can not only be used for transactions but also be used as a registration and inventory system for recording, tracking, monitoring, and trading all assets. The blockchain literally appears to be a huge expansion table for registering all assets and a billing system for trading these assets around the world, the assets including all forms of assets held by all entities worldwide. Hence, the blockchain can be used for registration, stock, and exchange of any forms of asset, including all fields of finance, economy, and money, and hard assets (physical assets) and intangible assets (votes, ideas, reputation, intention, health data, etc). The Bitcoin peer-to-peer network stores all transaction histories in the “Blockchain”. The blockchain extends continuously, and new blocks will not be removed once being added to the blockchain. The blockchain is actually a P2P network platform, which is a group of distributed client nodes, a distributed database formed by all participants, and records of all Bitcoins transaction histories. Furthermore, as the blockchain technology progresses, it is not just applied to the field of virtual currency payment. The decentralized, non-trust-based point-to-point model of blockchain technology means that there is no middleman for transaction at the most basic level. The Blockchain is a network foundation of Bitcoin, but the blockchain per se means more. The blockchain technology 1.0 may be born for virtual currency, while the core feature of credit trust of the blockchain technology 2.0 has become the currently important application direction, which is proposed to be used for a blockchain contract, notarization, and the like. The blockchain technology 3.0 is supposed to be applied to other fields than the financial field, such as the fields of government, health, science, culture, art and the like.
The Blockchain is a decentralized, distributed, and chronological public record, or is referred to as a public ledger system. The blockchain is shared and maintained by all users. Records in the blockchain can be used to verify double consumption. If the blockchain is applied to bills for virtual currencies, it can be used to verify the permanence of Bitcoin transactions and prevent double consumption. The blockchain in the present disclosure can be used to avoid multiple uses of the same authentication code. When the blockchain technology is applied to the authorization service platform, with a set of chronological public records, the steps related to the authorization protocol can be verified and replay attacks can be prevented.
In addition to Bitcoin, the public database according to embodiments of the present disclosure may also be a public ledger platform based on a decentralized blockchain, such as Litecoin, or a distributed ledger system which is decentralized using “consensus” instead of mining, like Hyperledger.
The authorization service of the present disclosure may also be implemented based on the Hyperledger platform. For example, the request and response information are recorded in a consensus pool of Hyperledger, such as a testpool, a custompool, or the like. The testpool is open to everyone for free, and the custompool is a pool that allows user customization. According to the “consensus” mechanism of Hyperledger, the record cannot be deleted or modified after being confirmed as valid.
An access control implementation according to an embodiment of the present disclosure will be described below with an example of blockchain. However, it should be understood that, the present disclosure is certainly not limited thereto, and may be applied to any decentralized, distributed database system in which the records cannot be deleted or modified.
As shown in
As shown in
It should be understood that, the format and content of the record items given herein are only examples, and the format and content of the record items may be set according to actual application requirements, which are not limited in the disclosure.
Corresponding to the interaction process described above, a process example of a method for authorized access according to an embodiment of the present disclosure will be described below with reference to
As shown in
The process example of the method for authorized access according to the present disclosure has been described above with reference to
The general example of authorization access control has been described above with reference to
Before a combination of the OAuth protocol and the technique according to the present disclosure is specifically described, the OAuth protocol is briefly introduced here. The OAuth protocol is an open network protocol (standard) about authorization. In the OAuth protocol, an authorization layer is introduced, and the role of the client is separated from the role of the resource owner. The client requests for access to resources that are controlled by the resource owner and owned by the resource server, and is issued with a set of credentials different from a credential of the resource owner. In the OAuth protocol, the following four roles are defined: a resource owner, a resource server, a client and an authorization server. The resource owner is an entity capable of authorizing access to protected resources. When the resource owner is a person, it may also be referred to as a terminal user. The resource server is a server owning the protected resources, and is capable of accepting and responding to a request for access to the protected resources using an access token. The client is an application that represents the resource owner and requests for the protected resources utilizing the authorization of the resource owner, which does not imply any specific implementation characteristics (for example, whether the application is executed on a server, desktop, or other device). The authorization server is a server that issues the access token to the client after successfully authenticating the resource owner and obtaining authorization. The authorization server may be the same server as the resource server or may be a different entity. Moreover, a single authorization server may issue access tokens accepted by multiple resource servers.
The development of OAuth has promoted the development of new applications in the open API field. OAuth provides applications with a method for accessing protected resources. Before accessing the protected resources, an application must first obtain an authorization (access permission) from the resource owner, and then exchange the access permission for an access token (which represents the scope, duration, and other attributes of the access permission). The application accesses the protected resources by presenting the access token to the resource server. The OAuth 2.0 standard is currently recommended for use. However, the protocol of OAuth 2.0 itself does not provide security and integrity protection mechanisms. Developers need to provide additional protection mechanisms for communication security when using OAuth 2.0.
The OAuth 2.0 protocol itself cannot defend against replay attacks and man-in-the-middle attacks. For example, in a case of replay attacks during network transmission, an authentication code may be intercepted and used to apply for an authorization access credential multiple times. As described above, man-in-the-middle attacks and replay attacks can be effectively resisted by recording the interaction process of authorization in a public database (for example, blockchain), that is, by combining the OAuth protocol with the blockchain technology. As an example, an example of an implementation of authorization access control that is based on blockchain and the OAuth protocol will be described in detail below.
As shown in
The resource owner 600 is an entity that can authorize and permit access to protected resources. The resource server 500 is a server that owns protected resources, and is capable of accepting and responding to requests for the protected resources using access tokens. The client device 200 is an application that represents a resource owner and requests for the protected resources by using authorization of the resource owner, and it is not limited to any particular implementation form. That is, it can be implemented on a server, computer, portable device, or other device. The authorization server 400 is a server that issues an access token to the client device 200 after successfully authenticating the resource owner and obtaining authorization.
An example of an implementation process of the blockchain-based OAuth protocol will be described in detail below with reference to
As shown in
It should be understood that the above-described interaction process is only an example rather than a limitation, and the order of execution of the various steps shown is also merely for convenience of description rather than for limiting. According to requirements, some steps may be performed in parallel or in a varied order.
As can be seen from the interaction process of implementation of the above blockchain-based OAuth protocol, in this case, the server device may include an authorization server and a resource server. The request from the client device may include a request for an authorization access credential to the authorization server and a data access request to the resource server. The response information from the server device may include an authorization access credential from the authorization server and data resources from the resource server. In addition, it should be noted that, although the authorization server and the resource server are shown as separate server devices here, they can actually be the same server.
Preferably, the above-described authorization access credential may include limitation information related to the protected resources. For example, the limitation information may include an identifier of a manager for the protected resources, resources which are allowed to be accessed by the client device and a valid period of the authorization access credential, and the like.
Further, preferably, the limitation information may further include setting of accessing times within the valid period of the authorization access credential. The accessing unit 230 of the client device 200 may perform the corresponding operations for accessing the protected resources according to the setting of accessing times. The response generating unit 310 of the server device 300 may successively decrease the setting of accessing times according to the access to the protected resources by the client device 200, and the recording unit 320 may record the decreased accessing times in the public database. In this way, replay attacks can be prevented, effectively achieving a limited times of authorized accesses to the protected resources. Hereinafter, a process for achieving the limited times of authorized accesses to which the technique according to the present disclosure is applied will be described in detail with reference to
As shown in
Next, in step S1003, the authorization server 400 sends the credentials of the N times of authorized accesses together with the records in the blockchain 100 to the client device 200. Then, in step S1004, the client device 200 may access the resource server 500 by utilizing the authorization access credential, and provide the resource server 500 with the records in the blockchain. In step S1005, the resource server 500 may verify the record in the blockchain to determine whether the authorization access credential is valid. In step S1006, if it is determined that the authorization access credential is valid, the resource server 500 provides the client device 200 with the corresponding data service; and if it is determined that the authorization access credential is invalid, the resource server 500 refuse to provide the corresponding service. Next, in step S1007, for each access, the resource server 500 may transfer 1 coin of virtual currency from the account Account2 to the account Account1 (as shown in
As can be seen in the above process, since the operations of the client device 200, the authorization server 400 and the resource server 500, and the limitation on the times of accesses are recorded in the blockchain 100, each device can verify various information by checking the corresponding record information in the blockchain 100. In this way, replay attacks and man-in-the-middle attacks can be effectively resisted, the security of the authorized access process can be improved, and a limited times of secure authorized accesses can be effectively achieved.
It should be understood that the process of implementing a limited times of authorized accesses based on the blockchain has been described above with reference to
In addition, it should also be noted that, although the implementation of the OAuth protocol to which the technique according to the present disclosure is applied has been described above with the blockchain as an example, it is apparent that other public databases (such as the consensus pool of Hyperledger mentioned above) besides the blockchain can be used to ensure communication security of the OAuth protocol.
Corresponding to the above-described device embodiments, examples of processes of methods for authorized access performed at a client device side and at a server device side according to embodiments of the present disclosure will be described below with reference to
As shown in
Preferably, the client device may further send location information of the request in the public database to the server device, and may verify a record of the response information of the server device in the public database utilizing a server public key, and perform the corresponding operations according to a result of the verifying.
Preferably, when applied in the implementation of the OAuth protocol, the above-described server device may include an authorization server and a resource server, and the two servers may be the same server. The request may include a request for an authorization access credential sent to the authorization server, and a data accessing request sent to the resource sever. The response information includes the authorization access credential from the authorization server and data resources from the resource server. Preferably, the authorization access credential may include limitation information related to the protected resources. The limitation information may include an identifier of a manager for the protected resources, resources which are allowed to be accessed by the client device and a valid period of the authorization access credential. Further, preferably, the limitation information may further include setting of accessing times within the valid period, and the client device may perform the corresponding operations for accessing the protected resources according to the setting of accessing times.
The method performed at the client device described here corresponds to the above-described device embodiment. Therefore, for the content not described in detail here, reference may be made to the corresponding description in the device embodiment, which is not repeated here.
As shown in
Preferably, the server device may further send location information of the response information in the public database to the client device, and may verify a record of the request of the client device in the public database utilizing a client public key and generate the response information according to a result of the verifying.
The method performed at the server device described here corresponds to the above-described device embodiment. Therefore, for the content not described in detail here, reference may be made to the corresponding description in the device embodiment, which is not repeated here.
It should be noted that, although the process example of the method for authorized access according to the embodiments of the present disclosure has been described as above, it is only an example rather than limitation, and those skilled in the art can modify the above embodiments in accordance with principles of the present disclosure. For example, those skilled in the art can add, delete, or combine steps in each embodiment, and all such modifications fall within the scope of the present disclosure.
The technique according to the present disclosure can also be applied to other fields, such as fields of medical treatment, communication, electric power or the like. Application examples of the technique according to the present disclosure will be described below with reference to
In the field of medical treatment, it is required to store data or records of a large number of users. It is desired to solve the problem of how to ensure that these data or records can be provided to users or a third-party platform authorized by the users via secure authorization access.
As shown in
In the specific implementation, system initialization is performed first, so that the key management center allocates at least key pairs to the authorization server and the resource server, which are denoted as (PKAS, SKAS) and (PKRS, SKRS) respectively.
After initialization, the entities perform the process for secure authorized access to medical data according to the example implementation steps as shown in
1. The user applies for an authorization credential from the authorization server
2. The authorization server issues the authorization credential to the user.
3. The user provides the client with authorization credential.
4. The client provides the authorization credential of the user to the authorization server and applies for a data access credential.
5. After verifying the authorization credential as valid, the authorization server generates a corresponding data access credential based on the information of the authorization credential. The data access credential includes at least information such as the target data to be accessed, the access period and the like. At the same time, the authorization server signs the data access credential by using its own private key SKAS, and records the signed information in the network recording platform.
6. The authorization server returns the data access credential and address information of the data access credential in the network recording platform to the client.
7. The client uses the data access credential and the address information in the network recording platform to apply for data resources from the resource server.
8. The resource server retrieves the record corresponding to the data access credential based on the address information, and verifies the validity of the data access credential sent by the client by using the public key PKAS of the authorization server.
9. The resource server provides corresponding data resources to the client according to the data access credential, and records the operation in response to the data access credential in the network recording platform. That is, the data access credential is signed by using the private key SKRS. Response log information may also be added, and recorded in the network recording platform after being signed.
10. The client obtains the corresponding data.
11. The client presents the sorted data to the user. For example, the medical information of the user in multiple medical institutions is gathered, classified, and organized, and then presented to the user as a whole.
Similarly, the above process can also be applied to an industry involving storage of data or records of a large amount of users, such as the electric industry, communication industry, electronic commerce industry or the like, which will not be described in detail herein.
3D printing is a hot technique nowadays, and it is also desired to solve the problem of how to ensure the security of authorized printing of a 3D model. As shown in
When the authorized printing of the 3D model is performed, the operations in steps 1 to 10 as shown in
In the above process, the user obtains the authorization for printing a certain 3D model (which may be obtained for free or by transaction), accesses the authorization server and the resource server via the client, obtains the 3D model data by the method using authorization protocol according to the present disclosure, and sends the data to a 3D printer to yield the printed 3D item. By applying the technique according to the present disclosure, the security and non-repudiation of the authorized access can be guaranteed, and the network attack can be effectively resisted.
Although an application example of the technique according to the present disclosure has been given above with reference to
Further, according to an embodiment of the present disclosure, an electronic device is further provided. The electronic device may include a transceiver and one or more processors. The one or more processors may be configured to perform the foregoing methods or the functions of the corresponding units according to the embodiments of the present disclosure.
It should be understood that, machine-executable instructions in a storage medium and a program product according to the embodiments of the present disclosure may further be configured to perform the method corresponding to the above-described device embodiment. Therefore, for the contents not described in detail here, reference may be made to the previous corresponding description, which is not repeated here.
Correspondingly, the storage medium used for carrying the program product including machine-readable instructions is included in the present disclosure. The storage medium includes but not limited to, a floppy diskette, an optical disk, a magneto-optical disk, a memory card, a memory stick and so on.
In addition, it should further be noted that, the above-described series of processing and apparatuses may also be implemented by software and/or firmware. In the case of software and/or firmware, program constituting the software is installed, via a storage medium or a network, onto the computer having a dedicated hardware structure, such as a general purpose computer 1600 shown in
In
CPU 1601, ROM 1602 and RAM 1603 are linked to each other via a bus 1604. Input/output interface 1605 is also linked to the bus 1604.
The following components are linked to the input/output interface 1605: an input section 1606, including a keyboard, a mouse, etc.; an output section 1607, including a display, such as a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 1608 including a hard disk, etc.; and a communication section 1609, including a network interface card such as a LAN card, a modem, etc. The communication section 1609 performs a communication process via a network, such as the Internet.
A drive 1610 may also be linked to the input/output interface 1605 as needed. Removable media 1611, such as a magnetic disk, an optical disk, a magneto-optical disk, or a semiconductor memory, is mounted on the drive 1610 as needed, such that a computer program read out therefrom is installed into the storage section 1608 as needed.
In the case of implementing the above-described series of processing by software, the program constituting the software is installed via the network such as the Internet or a storage medium such as the removable media 1611.
It should be appreciated by those skilled in the art that, such storage medium is not limited to the removable media 1611 shown in
The preferred embodiments of the present disclosure have been described above in detail with reference to the accompanying drawings, whilst the present disclosure is not limited to the above examples, of course. A person skilled in the art may find various changes and modifications within the scope of the appended claims, and it should be understood that they will naturally come under the technical scope of the present disclosure.
For example, multiple functions included in one unit in the above embodiments may be implemented by separate apparatus. Alternatively, multiple functions implemented by multiple units in the above embodiments may be separately implemented by separate apparatus. In addition, one of the above functions may be implemented by multiple units. Needless to say, such a configuration is included in the technical scope of the present disclosure.
In this specification, the steps described in the flowchart include not only processing performed in the order in time series, but also processing parallel or individually and not necessarily performed in time series. Moreover, even in the step of processing in time series, needless to say, the order can be appropriately changed.
Although the present disclosure and its advantages have been described in detail, it should be understood that, various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the disclosure as defined by the appended claims. Furthermore, the terms such as “include”, “comprise” or any other variants thereof means to be non-exclusive. Therefore, a process, a method, an article or a device including a series of elements includes not only the disclosed elements but also other elements that are not clearly enumerated, or further includes inherent elements of the process, the method, the article or the device. Unless expressively limited, the statement “including a . . . ” does not exclude the case that other similar elements may exist in the process, the method, the article or the device other than enumerated elements.
Number | Date | Country | Kind |
---|---|---|---|
201510977455.3 | Dec 2015 | CN | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/CN2016/111725 | 12/23/2016 | WO | 00 |