CN118433171A

CN118433171A - File transmission method, system, storage medium and electronic equipment

Info

Publication number: CN118433171A
Application number: CN202410589997.2A
Authority: CN
Inventors: 刘梦超; 周海波; 姬春浩; 王政; 宋何飞
Original assignee: Sinopharm Digital Technology Shanghai Co ltd
Current assignee: Sinopharm Digital Technology Shanghai Co ltd
Priority date: 2024-05-13
Filing date: 2024-05-13
Publication date: 2024-08-02

Abstract

The application provides a file transmission method, a file transmission system, a storage medium and electronic equipment, wherein the method comprises the following steps: receiving an interface calling authority request sent by an application system; generating an application identifier, a public key and a private key according to the interface calling authority request; receiving a file uploading request sent by the application system after being encrypted by the private key; the file uploading request comprises the application identifier, the file identifier to be uploaded, the file security parameter to be uploaded, the signature parameter and the file to be uploaded; decrypting the file uploading request by using the public key; performing authority verification on the decrypted file uploading request by using the application identifier, and uploading the file to be uploaded to a storage server if the verification is passed; and if the verification is not passed, rejecting the file uploading request. The application can effectively ensure the safety of file transmission, prevent the risk of file leakage or tampering, and solve the problem of repeated storage in the service use process.

Description

File transmission method, system, storage medium and electronic equipment

Technical Field

The application belongs to the technical field of file processing, and particularly relates to a file transmission method, a file transmission system, a storage medium and electronic equipment.

Background

Currently, most companies typically use network attached storage (Network Attached Storage, NAS) to store internal files. Because NAS disk does not support file deduplication, compression, automatic backup, complex security policy and the like, disk space utilization is low, transmission efficiency is low, the loss is easy to occur when files are stored, and effective management and control of transmission authorities are difficult to realize. In addition, if the enterprise directly stores the file in the cloud OSS storage system in a mode of transmitting the file through the external network, the file is easy to leak. Therefore, how to efficiently, safely and stably manage the internal files of the enterprise is a common challenge for all enterprises at present.

Disclosure of Invention

The application aims to provide a file transmission method, a file transmission system, a storage medium and electronic equipment, which can improve the safety and efficiency of file transmission.

In a first aspect, the present application provides a file transfer method, the method including:

Receiving an interface calling authority request sent by an application system;

Generating an application identifier, a public key and a private key according to the interface calling authority request;

Receiving a file uploading request sent by the application system after being encrypted by the private key; the file uploading request comprises the application identifier, the file identifier to be uploaded, the file security parameter to be uploaded, the signature parameter and the file to be uploaded;

decrypting the file uploading request by using the public key;

Performing authority verification on the decrypted file uploading request by using the application identifier, and uploading the file to be uploaded to a storage server if the verification is passed; and if the verification is not passed, rejecting the file uploading request.

In an implementation manner of the first aspect, generating the application identifier, the public key and the private key according to the interface call permission request includes:

Registering an application system which sends out the interface calling authority request to obtain the application identifier;

and distributing the public key and the private key for the application system.

In one implementation manner of the first aspect, the method further includes:

extracting key data based on the file uploading request to obtain a signature string; the key data comprises an uploading request method, an uploading request path, uploading request parameter information, access key information and date information;

Encrypting the signature string to obtain an encrypted byte array;

encoding the encrypted byte array to obtain verification signature parameters; and

And carrying out signature verification on the signature parameters in the file uploading request based on the verification signature parameters.

In one implementation manner of the first aspect, the method further includes:

Performing duplicate removal verification on the file uploading request by using the file identifier to be uploaded, and uploading the file to be uploaded to a storage server if verification is passed; and if the verification is not passed, returning the resource information of the uploaded file in the storage server.

In one implementation manner of the first aspect, the method further includes:

Carrying out integrity verification on the file uploading request by utilizing the file identifier to be uploaded, and uploading the file to be uploaded to a storage server if verification is passed; and if the verification is not passed, rejecting the file uploading request.

In one implementation manner of the first aspect, the method further includes:

Judging the security level of the file to be uploaded by using the security level parameter of the file to be uploaded, and uploading the file to be uploaded to the storage server through an intranet address if the file to be uploaded is a high-ciphertext file; and if the file to be uploaded is a low ciphertext, uploading the file to the storage server through an extranet address.

In a second aspect, the present application provides a file transfer method, the method including:

Receiving an interface calling authority request sent by an application system;

Receiving a file downloading request sent by the application system after being encrypted by the private key; the file downloading request comprises the application identifier, the signature parameter, the file security parameter to be downloaded and the resource information of the file to be downloaded;

Decrypting the file downloading request by using the public key;

performing authority verification on the decrypted file downloading request by using the application identifier, if the verification is passed, acquiring a downloading address from a storage server, and returning the downloading address to the application system; and if the verification is not passed, rejecting the file downloading request.

In an implementation manner of the second aspect, generating the application identifier, the public key and the private key according to the interface call permission request includes:

and distributing the public key and the private key for the application system.

In one implementation manner of the second aspect, the method further includes:

extracting key data based on the file downloading request to obtain a signature string; the key data comprises a downloading request method, a downloading request path, downloading request parameter information and date information;

Encrypting the signature string to obtain an encrypted byte array;

And carrying out signature verification on the signature parameters in the file downloading request based on the verification signature parameters.

In one implementation manner of the second aspect, the method further includes:

Carrying out downloading verification on the file downloading request by utilizing the resource information of the file to be downloaded, if the verification is passed, acquiring a downloading address from a storage server, and returning the downloading address to the application system; and if the verification is not passed, rejecting the file downloading request.

In one implementation manner of the second aspect, the method further includes:

Judging the security level of the file to be downloaded by using the security level parameter of the file to be downloaded, and if the file to be downloaded is a high-density file, returning an intranet downloading address to the application system; and if the file to be downloaded is a low-density file, returning an external network downloading address to the application system.

In a third aspect, the present application provides a file transfer system, the system comprising:

the first interface request module is used for receiving an interface calling authority request sent by the application system;

The first generation module is used for generating an application identifier, a public key and a private key according to the interface calling authority request;

the uploading request module is used for receiving a file uploading request sent by the application system after the application system is encrypted by the private key; the file uploading request comprises the application identifier, the file identifier to be uploaded, the file security parameter to be uploaded, the signature parameter and the file to be uploaded;

The first decryption module is used for decrypting the file uploading request by using the public key;

The uploading module is used for verifying the authority of the decrypted file uploading request by using the application identifier, and if the verification is passed, the file to be uploaded is uploaded to a storage server; and if the verification is not passed, rejecting the file uploading request.

In a fourth aspect, the present application provides a file transfer system, the system comprising:

the second interface request module is used for receiving an interface calling authority request sent by the application system;

The second generation module is used for generating an application identifier, a public key and a private key according to the interface calling authority request;

the downloading request module is used for receiving a file downloading request sent by the application system after the application system is encrypted by the private key; the file downloading request comprises the application identifier, the signature parameter, the file security parameter to be downloaded and the resource information of the file to be downloaded;

The second decryption module is used for decrypting the file downloading request by utilizing the public key;

the downloading module is used for verifying the authority of the decrypted file downloading request by utilizing the application identifier, if the verification is passed, obtaining a downloading address from a storage server, and returning the downloading address to the application system; and if the verification is not passed, rejecting the file downloading request.

In a fifth aspect, the present application provides an electronic device, including: a processor and a memory;

the memory is used for storing a computer program;

The processor is configured to execute the computer program stored in the memory, so that the electronic device executes the file transfer method described above.

In a sixth aspect, the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed by an electronic device, implements the file transfer method described above.

As described above, the file transmission method, system, storage medium and electronic device of the present application have the following beneficial effects:

(1) The application can effectively verify the identities of the two parties of transmission and ensure the safety of the file in the transmission process by encrypting transmission, calling the authority control, the signature verification mechanism and the authority verification through the interface.

(2) The application utilizes the file identification to be uploaded to carry out integrity verification, realizes the integrity detection of the file, judges whether the file is tampered in the transmission process, and ensures the reality and the safety of file transmission.

(3) The application uses the file identification to be uploaded to carry out duplicate removal verification, realizes that the resource information of the uploaded file can be returned immediately for the file which has already been uploaded, improves the file transmission efficiency and solves the problem of repeated storage in the service use process.

(4) The application can judge the file security by using the file security parameters, and select two address types through the intranet or the extranet to realize file transmission according to the different file security, thereby further strengthening the system security.

Drawings

Fig. 1 is a schematic view of an electronic device according to an embodiment of the application.

Fig. 2 is a flowchart of a file transfer method according to an embodiment of the application.

Fig. 3 is a flowchart of a file transfer method according to an embodiment of the application.

Fig. 4 is a flowchart of a file transfer method according to an embodiment of the application.

Fig. 5 is a schematic diagram of a file transfer system according to an embodiment of the application.

Fig. 6 is a schematic diagram of a file transfer system according to an embodiment of the application.

Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the application.

Detailed Description

Other advantages and effects of the present application will become apparent to those skilled in the art from the following disclosure, which describes the embodiments of the present application with reference to specific examples. The application may be practiced or carried out in other embodiments that depart from the specific details, and the details of the present description may be modified or varied from the spirit and scope of the present application. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict.

It should be noted that the illustrations provided in the following embodiments merely illustrate the basic concept of the present application by way of illustration, and only the components related to the present application are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.

The following embodiments of the present application provide a file transfer method that can be applied to a file transfer apparatus as shown in fig. 1. The file transfer device of the present application may include an invoice system 11, apisix gateway 12, a file center 13, an OSS server 14, and a database 15. In the file transfer device of fig. 1, the invoice system 11 issues an interface call permission request, and the file center 13 examines and approves the interface call permission request. When the approval passes, the file center 13 registers the application system 13, generates an application identifier, a public key and a private key, and distributes the application identifier, the public key and the private key. Thereafter, when the invoice system 11 is about to transmit the file, the file transmission request is encrypted by the private key and sent to the apisix gateway 12. The apisix gateway 12 verifies the signature parameters in the file transfer request. After the signature parameter verification is passed, the file center 13 decrypts the file transmission request by using the public key, and then verifies the authority of the decrypted file transmission request by using the application identifier so as to ensure the transmission security. And when the authority verification is passed, calling an interface from the storage server to acquire a transmission address for file transmission, otherwise, rejecting a file transmission request. In addition, the file transfer device provided in fig. 1 is also capable of performing history data management, and history file transfer operations are retained in the database 15 for management.

The following describes the technical solution in the embodiment of the present application in detail with reference to the drawings in the embodiment of the present application.

In one embodiment, as shown in fig. 2, the file transfer method of the present application includes steps S1-S5.

S1: and receiving an interface calling authority request sent by the application system.

Specifically, in the file transmission process, the interface is used for calling the authority control, so that the security of file transmission is improved. Thus, in some embodiments, if the application system is to transfer a file, it is first necessary to issue an interface call permission request to the file center for approval.

S2: and generating an application identifier, a public key and a private key according to the interface calling authority request.

Specifically, as shown in fig. 3, step S2 includes steps S21 and S22.

S21: registering the application system which sends the interface calling authority request to obtain the application identification.

In some embodiments, after the file center examines and approves the interface call request sent by the application system, the file center registers the application and obtains the application identifier corresponding to the application. And the application identification is returned to the application system for application system authentication in the subsequent file transmission process.

In some embodiments, the file center only registers for the application system that first sent the file upload request to obtain the corresponding application identifier. When the registered application system sends out the file uploading request again, the application identification is unchanged.

S22: and distributing the public key and the private key for the application system.

In some embodiments, the file center generates a pair of public and private keys using an RSA (128 bit) asymmetric encryption algorithm. The public key is stored in a file center, and the private key is returned to the application system.

In some embodiments, the private key is returned to the application system (received by the user) asynchronously through mail or enterprise WeChat.

S3: receiving a file uploading request sent by the application system after being encrypted by the private key; the file uploading request comprises the application identifier, the file identifier to be uploaded, the file security parameter to be uploaded, the signature parameter and the file to be uploaded.

In some embodiments, after receiving the private key, the application system encrypts the file upload request with the private key, and then sends out the encrypted file upload request. The file uploading request comprises the application identifier, the file identifier to be uploaded, the file security parameter to be uploaded, the signature parameter and the file to be uploaded.

In some embodiments, the file to be uploaded is identified as the md5 value of the file to be uploaded. The md5 value is calculated by an md5 message digest algorithm. The MD5 information abstract algorithm takes the whole file to be uploaded as a large text message, and generates a unique MD5 information abstract through an irreversible character string transformation algorithm. It processes the incoming information in 512-bit packets, and each packet is divided into 16 32-bit sub-packets, after a series of processing, the output of the algorithm consists of four 32-bit packets, which are concatenated to generate a 128-bit hash value, i.e., md5 value. Thus, if anyone makes any changes to the file, its md5 value will change, so that the integrity of the file transfer can be ensured with the md5 value.

In some embodiments, the file security parameters to be uploaded are resource attributes of the file, i.e., enumeration values. And judging the confidentiality degree of the file requested to be uploaded through the enumeration value.

In some embodiments, to prevent the file upload request from being tampered with and the interface from being maliciously invoked, the application system may add a signature parameter to the file upload request when the interface is invoked. The signature parameters are calculated by adopting a standard hmac-sha256 encryption mode.

It should be noted that, each file upload request sent by the application system will be signed in real time. Because of this, signature parameters in each file uploading request are different, so that the security of transmission can be better ensured.

In some embodiments, the specific process of adding the signature parameters in real time in the file upload request includes:

(1) Extracting key data based on the file uploading request to obtain a signature string; the key data includes at least one of an upload request method, an upload request path, upload request parameter information, access key information, and date information.

(2) And encrypting the signature string to obtain an encrypted byte array.

(3) And encoding the encrypted byte array to obtain signature parameters.

(4) The signature parameters are added to a specified request header to add a signature to the file upload request.

Taking a file upload request http://127.0.0.1:9080/aichat/v1/index. Htmlname= james & age=36 as an example, the above process is implemented as follows:

1) The method for extracting the uploading request comprises the following steps: defaulting to GET to obtain signature string signing _string as 'GET\n';

2) Extracting an uploading request path: per aichat/v1/index. Htm, signing _string is obtained

“GET\n/aichat/v1/index.htm\n”。

3) Extracting uploading request parameter information: name= james & age=36, in which case, the parameter key value pair needs to be sorted in ascending order according to the parameter key to obtain new parameter string information "age=36 & name= james", so as to obtain the new parameter string information "age= james"

Signing _string is "get\n/aichat/v1/index. Htm\ nage =36 & name= james \n".

4) Extracting access key information: the access key in the file upload request is liumengchao, and signing _string is "get\n/aichat/v1/index.htm\ nage =36 & name= james \ nliumengchao \n".

5) Extracting date information: i.e. date information Tue 19Jan 2021 11:33:20 in the request header of the file upload request

GMT, get signing _string as

“GET\n/aichat/v1/index.htm\nage＝36&name＝james\nliumengchao\nTue,19Jan 2021

11:33:20GMT\n”。

It should be noted that, if the extracted key data has no corresponding parameter, the extracted key data is replaced by "\n" to be added into the signature string.

6) And obtaining an encrypted byte array of signing _string by adopting hmac-sha256 encryption mode.

7) And encoding the encrypted byte array by adopting a base64 mode to obtain the X-HMAC-SIGNATURE SIGNATURE information (SIGNATURE parameters) as follows: THqzlcQECyV4Rs5ZKeJKElAi8ljup2UhwWJqavdkx4 o=.

8) The SIGNATURE parameters are added to the header of the parameter key X-HMAC-SIGNATURE to add a SIGNATURE to the file upload request.

When the upload request method is a get request and the request body is absent, a signature is calculated for the empty string, for example, base64 (hmac-sha (").

S4: and decrypting the file uploading request by using the public key.

In some embodiments, after the file center receives the file upload request, the encrypted file upload request will be decrypted using the public key.

It should be noted that, before decrypting the file upload request in step S4, the file transmission method provided by the present application further includes:

(A) Extracting key data based on the file uploading request to obtain a signature string; the key data includes at least one of an upload request method, an upload request path, upload request parameter information, access key information, and date information.

(B) Encrypting the signature string to obtain an encrypted byte array

(C) And encoding the encrypted byte array to obtain verification signature parameters.

(D) And carrying out signature verification on the signature parameters in the file uploading request based on the verification signature parameters.

That is, after the file center receives the file uploading request, a verification signature parameter is generated, and signature verification is performed on the signature parameter in the file uploading request based on the verification signature parameter. When the signature verification is passed, the decryption in the step S4 is carried out; when the signature verification fails, an authentication error is prompted 403. Through signature authentication, the identities of the two sides of the file transmission can be effectively verified, and the safety of the file transmission is ensured.

It should be noted that, the specific generation process of the verification signature parameter may refer to the related description content in step S3, which is not described herein.

It should be noted that in other embodiments, the verification signature parameters may also be generated and verified by a third party, for example, through the apisix gateway. The application is not limited thereto.

S5: performing authority verification on the decrypted file uploading request by using the application identifier, and uploading the file to be uploaded to a storage server if the verification is passed; and if the verification is not passed, rejecting the file uploading request.

In some embodiments, the file center uses the application identifier to perform authority verification on the decrypted file uploading request, and determines whether the sender of the request has file uploading authority. If the authority verification is passed, the file uploading requesting party has uploading authority, the file center calls a storage server interface at the moment to acquire an uploading address, and the file to be uploaded is uploaded to a storage server through the uploading address; if the verification is not passed, the file uploading request party does not have uploading authority, and the file uploading request is refused.

In other embodiments, the file transmission method provided by the present application further includes: performing duplicate removal verification on the file uploading request by using the file identifier to be uploaded, and uploading the file to be uploaded to a storage server if verification is passed; and if the verification is not passed, returning the resource information of the uploaded file in the storage server.

And the file to be uploaded is identified as the md5 value of the file. The application carries out duplicate removal verification through the md5 value of the file and judges whether the same file exists in the storage server. If the verification is passed, the file is not uploaded to the storage server, a storage server interface is called, an uploading address is obtained, and the file to be uploaded is uploaded to the storage server through the uploading address; if the verification is not passed, the fact that the same file exists in the storage server is indicated, and the resource information of the uploaded file in the storage server is returned, so that the problem of repeated storage in the service using process is avoided.

In some embodiments, the resource information of the uploaded file is the resource id of the file at the storage server.

For example, after the financial system a uploads the financial document a of one year to the storage server, if the financial system a or other application system is to upload the financial document b again, the document center will determine whether the md5 value of the financial document b to be uploaded is the same as the md5 value of the financial document a. If the two financial documents are identical, the document center refuses to upload the financial document b and returns the resource information of the financial document a to the financial system A or other application systems. Namely, the file center judges whether the file is repeatedly uploaded according to the file identification to be uploaded, so that the storage efficiency is improved, and the storage cost is reduced.

In other embodiments, the file transmission method provided by the present application further includes: carrying out integrity verification on the file uploading request by utilizing the file identifier to be uploaded, and uploading the file to be uploaded to a storage server if verification is passed; and if the verification is not passed, rejecting the file uploading request.

And the file to be uploaded is identified as the md5 value of the file. The application judges the integrity of the file through the md5 value of the file, namely judges whether the file is tampered or lost in the transmission process. If the verification is passed, the file transmission safety is described, a storage server interface is called, an uploading address is obtained, and the file to be uploaded is uploaded to a storage server through the uploading address; if the verification is not passed, the situation that the file is possibly lost or tampered in the transmission process is indicated, and the file uploading request is refused.

In some embodiments, when the file center receives the request to be uploaded, the md5 value of the file is regenerated, and based on the new md5 value, it is determined whether the md5 value of the file is the same as the md5 value of the file in the request to upload the file. If the description file is the same, the description file is complete, and uploading is performed. If the files are not the same, the file center is used for receiving the file which is not the file for requesting uploading, and the file uploading request is refused for the storage security.

It should be noted that other request parameters may be added to the file uploading request, so that after the file center receives the file uploading request, the file center may perform other service processing according to the request parameters and upload the file to the storage server. Such as decompression, ocr identification, format conversion, etc.

It should be noted that the OSS server may be selected by the storage server. For the OSS storage engine, there will be at least 1 copy per file, thus ensuring the reliability of file storage.

In other embodiments, the file transmission method provided by the present application further includes: judging the security level of the file to be uploaded by using the security level parameter of the file to be uploaded, and uploading the file to be uploaded to the storage server through an intranet address if the file to be uploaded is a high-ciphertext file; and if the file to be uploaded is a low ciphertext, uploading the file to the storage server through an extranet address.

In some embodiments, after the file center judges the security level of the file to be uploaded by using the security level parameter of the file to be uploaded, if the file to be uploaded is a high-ciphertext file, a storage server interface is called to obtain an intranet address, and the file to be uploaded is uploaded to a storage server through the intranet address; otherwise, if the file to be uploaded is a low ciphertext, a storage server interface is called, an external network address is obtained, and the file to be uploaded is uploaded to a storage server through the external network address.

It should be noted that, the intranet address and the extranet address obtained by the file center both have aging. In some embodiments, to secure the resource download link against malicious theft, a valid upload address within 1h is generated by default. In other embodiments, generation of permanently valid addresses is also supported in order to ensure stability of traffic.

In other embodiments, the uploading address in the file transmission method provided by the application also supports shared link support. After the shared party obtains the shared uploading address, the shared party also needs to initiate an interface call permission request and a file uploading request through similar steps, so that the file can be really uploaded through the actual uploading address.

In other embodiments, the file transmission method provided by the application further includes trace management for the historical uploading operation of the file, so as to further improve the security of file transmission.

In another embodiment, as shown in fig. 4, the file transfer method of the present application includes steps S6-S10.

S6: and receiving an interface calling authority request sent by the application system.

S7: and generating an application identifier, a public key and a private key according to the interface calling authority request.

Specifically, an application system sending the interface calling authority request is registered, and the application identifier is obtained.

In some embodiments, the file center only registers for the application system that first sent the file download request, so as to obtain the corresponding application identifier. When the registered application system sends out the file downloading request again, the application identification is unchanged.

Specifically, the public key and the private key are distributed to the application system.

S8: receiving a file downloading request sent by the application system after being encrypted by the private key; the file downloading request comprises the application identifier, the file security parameter to be downloaded, the signature parameter and the resource information of the file to be downloaded.

In some embodiments, after receiving the private key, the application system encrypts the file download request with the private key, and then issues the encrypted file download request. The file downloading request comprises the application identifier, signature parameters and resource information of the file to be downloaded.

It should be noted that, the file downloading request sent by the application system is to apply for obtaining the downloading address of the file to be downloaded. In some embodiments, to ensure the security of the resource download link, and prevent malicious theft, the default application system applies to obtain a valid download address within 1 h. In other embodiments, application systems are also supported for applying permanently valid addresses in order to ensure stability of traffic.

In some embodiments, the file security level parameter to be downloaded is a resource attribute of the file, i.e., an enumerated value. And judging the confidentiality degree of the file requested to be uploaded through the enumeration value.

In some embodiments, to prevent the file download request from being tampered with and the interface from being maliciously invoked, the application system may add a signature parameter to the file download request when the interface is invoked. The signature parameters are calculated by adopting a standard hmac-sha256 encryption mode.

It should be noted that, each file download request sent by the application system will be signed in real time. Because of this, signature parameters in each file download request are different, so that the security of transmission can be better ensured.

In some embodiments, the specific process of adding the signature parameters in real time in the file download request includes:

(1) Extracting key data based on the file downloading request to obtain a signature string; the key data includes at least one of a download request method, a download request path, download request parameter information, and date information.

In some embodiments, the download request method defaults to a get request.

(2) And encrypting the signature string to obtain an encrypted byte array.

In some embodiments, the encrypted byte array of the signature string is obtained using hmac-sha256 encryption.

(3) And encoding the encrypted byte array to obtain signature parameters.

In some embodiments, the encrypted byte array is encoded in a base64 fashion to obtain the signature parameters.

(4) The signature parameters are added to a specified request header to add a signature to the file download request.

When the upload request method is a get request and the request body is absent, a signature is calculated for the empty string, for example, base64 (hmac-sha (")).

S9: and decrypting the file downloading request by using the public key.

In some embodiments, after the file center receives the file download request, the encrypted file download request will be decrypted using the public key.

It should be noted that, before decrypting the file downloading request in step S9, the file transmission method provided by the present application further includes:

(A) Extracting key data based on the file downloading request to obtain a signature string; the key data includes at least one of a download request method, a download request path, download request parameter information, and date information.

(B) And encrypting the signature string to obtain an encrypted byte array.

That is, after the file center receives the file downloading request, a verification signature parameter is generated, and signature verification is performed on the signature parameter in the file downloading request based on the verification signature parameter. When the signature verification is passed, the decryption in the step S9 is carried out; when the signature verification fails, an authentication error is prompted 403. Through signature authentication, the identities of the two sides of the file transmission can be effectively verified, and the interface is prevented from being maliciously requested, so that the safety of the file transmission is ensured.

It should be noted that, the specific generation process of the verification signature parameter may refer to the foregoing, and will not be described herein.

S10: performing authority verification on the decrypted file downloading request by using the application identifier, if the verification is passed, acquiring a downloading address from a storage server, and returning the downloading address to the application system; and if the verification is not passed, rejecting the file downloading request.

In some embodiments, the file center uses the application identifier to perform authority verification on the decrypted file downloading request, and determines whether the sender of the request has file downloading authority. If the authority verification is passed, the file download requester has the download authority, the file center calls a storage server interface to acquire a download address, and returns the download address of the file to be downloaded to the application system so that the application system downloads the corresponding file from the storage server; if the verification is not passed, the file download request party does not have the download authority, and the file download request is refused.

In other embodiments, the file transmission method provided by the present application further includes: carrying out downloading verification on the file downloading request by utilizing the resource information of the file to be downloaded, if the verification is passed, acquiring a downloading address from a storage server, and returning the downloading address to the application system; and if the verification is not passed, rejecting the file downloading request.

The resource information of the file to be downloaded refers to a resource id of the file stored in the storage server. When a file center receives a file downloading request, carrying out downloading verification on the file downloading request by utilizing the resource information of the file to be downloaded, if the verification is passed, indicating that the file exists in a storage server, calling a storage server interface at the moment, acquiring a downloading address, and returning the downloading address of the file to be downloaded to the application system so as to enable the application system to download the corresponding file from the storage server; if the verification is not passed, the fact that the file which is requested to be downloaded does not exist in the storage server is indicated, and at the moment, the file downloading request is refused.

In other embodiments, when the file requested to be downloaded does not exist in the storage server, the file center refuses the file downloading request, and can send a message notification of the absence of the file to the application system, so as to check the resource information in time.

In other embodiments, the file transmission method provided by the present application further includes: judging the security level of the file to be downloaded, and if the file to be downloaded is a high-density file, returning an intranet downloading address to the application system; and if the file to be downloaded is a low-density file, returning an external network downloading address to the application system.

It should be noted that, both the returned intranet address and the extranet address have aging. In some embodiments, to secure the resource download link, a valid download address within 1h is returned to the application system by default. In other embodiments, a permanently valid download address may also be returned.

It should be noted that other request parameters may be added to the file downloading request, so that after the file center receives the file downloading request, the file center may perform other service processing according to the request parameters and return the downloading address to the application system. Such as batch download in the form of compressed packets, format conversion, compression, etc.

In other embodiments, the download address in the file transfer method provided by the present application also supports sharing links. After the shared party obtains the shared download address, the shared party also needs to initiate an interface call permission request and a file download request through similar steps, so that the file can be really uploaded through the actual download address.

In other embodiments, the file transmission method provided by the application further includes trace management for the history downloading operation of the file, so as to further improve the security of file transmission. The protection scope of the file transmission method according to the embodiment of the present application is not limited to the execution sequence of the steps listed in the embodiment, and all the schemes implemented by adding or removing steps and replacing steps according to the prior art according to the principles of the present application are included in the protection scope of the present application.

The embodiment of the application also provides a file transmission system, which can realize the file transmission method of the application, but the implementation device of the file transmission system of the application includes but is not limited to the structure of the file transmission system listed in the embodiment, and all the structural modifications and substitutions of the prior art according to the principles of the application are included in the protection scope of the application.

As shown in fig. 5, in an embodiment, the file transfer system of the present application includes a first interface request module 41, a first generation module 42, an upload request module 43, a first decryption module 44, and an upload module 45.

A first interface request module 41, configured to receive an interface call permission request sent by an application system;

a first generation module 42, configured to generate an application identifier, a public key, and a private key according to the interface call permission request;

an upload request module 43, configured to receive a file upload request sent by the application system after being encrypted by the private key; the file uploading request comprises the application identifier, the file identifier to be uploaded, the file security parameter to be uploaded, the signature parameter and the file to be uploaded;

A first decryption module 44, configured to decrypt the file upload request using the public key;

the uploading module 45 is configured to perform authority verification on the decrypted file uploading request by using the application identifier, and if the verification is passed, upload the file to be uploaded to a storage server; and if the verification is not passed, rejecting the file uploading request.

The structures and principles of the first interface request module 41, the first generation module 42, the upload request module 43, the first decryption module 44, and the upload module 45 are in one-to-one correspondence with the steps in the above file transfer method, so that the description thereof will not be repeated here.

In some embodiments, the file transfer system of the present application further comprises an upload signature verification module. The uploading signature verification module is used for extracting key data based on the file uploading request to obtain a signature string; the key data comprises at least one item of information of an uploading request method, an uploading request path, uploading request parameter information, access key information and date information; encrypting the signature string to obtain an encrypted byte array; encoding the encrypted byte array to obtain verification signature parameters; and performing signature verification on the signature parameters in the file uploading request based on the verification signature parameters.

In some embodiments, the file transfer system of the present application further comprises a de-duplication verification module. The duplicate removal verification module is used for carrying out duplicate removal verification on the file uploading request by utilizing the file identifier to be uploaded, and if verification is passed, uploading the file to be uploaded to a storage server; and if the verification is not passed, returning the resource information of the uploaded file in the storage server.

In some embodiments, the file transfer system of the present application further comprises an integrity verification module. The integrity verification module is used for carrying out integrity verification on the file uploading request by utilizing the file identifier to be uploaded, and if the verification is passed, the file to be uploaded is uploaded to a storage server; and if the verification is not passed, rejecting the file uploading request.

In some embodiments, the file transfer system of the present application further includes an upload security determination module. The security level judging module is used for judging the security level of the file to be uploaded by utilizing the security level parameter of the file to be uploaded, and if the file to be uploaded is a high-ciphertext file, the file to be uploaded is uploaded to the storage server through an intranet address; and if the file to be uploaded is a low ciphertext, uploading the file to the storage server through an extranet address.

In some embodiments, the file transfer system provided by the present application further includes an upload sharing module. The uploading sharing module is used for supporting sharing uploading address links.

In some embodiments, the file transfer system of the present application further includes an upload operation trace module. The uploading operation trace module is used for carrying out trace management on the historical uploading operation of the file so as to further improve the safety of file transmission.

The structure and principle of the uploading signature verification module, the duplicate removal verification module, the integrity verification module, the uploading security judgment module, the uploading sharing module and the uploading operation mark retaining module correspond to those of the file transmission method, so that the description is omitted here.

In another embodiment, as shown in fig. 6, the file transfer system of the present application includes a second interface request module 51, a second generation module 52, a download request module 53, a second decryption module 54 and a download module 55.

A second interface request module 51, configured to receive an interface call permission request sent by the application system;

A second generating module 52, configured to generate an application identifier, a public key, and a private key according to the interface call permission request;

A download request module 53, configured to receive a file download request sent by the application system after being encrypted by the private key; the file downloading request comprises the application identifier, a file security parameter to be downloaded, a signature parameter and resource information of the file to be downloaded;

a second decryption module 54, configured to decrypt the file download request using the public key;

The download module 55 is configured to perform authority verification on the decrypted file download request by using the application identifier, and if the verification is passed, acquire a download address from a storage server, and return the download address to the application system; and if the verification is not passed, rejecting the file downloading request.

The structures and principles of the second interface request module 51, the second generation module 52, the download request module 53, the second decryption module 54, and the download module 55 are in one-to-one correspondence with the steps in the above file transfer method, so that the description thereof will not be repeated here.

In some embodiments, the file transfer system of the present application further comprises a download signature authentication module. The download signature authentication module is used for extracting key data based on the file download request to obtain a signature string; the key data comprises at least one item of information of a downloading request method, a downloading request path, downloading request parameter information and date information; encrypting the signature string to obtain an encrypted byte array; encoding the encrypted byte array to obtain verification signature parameters; and performing signature verification on the signature parameters in the file downloading request based on the verification signature parameters.

In some embodiments, the file transfer system of the present application further comprises a download authentication module. The download authentication module is used for carrying out download authentication on the file download request by utilizing the resource information of the file to be downloaded, if the authentication is passed, acquiring a download address from a storage server, and returning the download address to the application system; and if the verification is not passed, rejecting the file downloading request.

In some embodiments, the file transfer system of the present application further includes a download security level determination module. The downloading security level judging module is used for judging the security level of the file to be downloaded by utilizing the security level parameter of the file to be downloaded, and if the file to be downloaded is a high-density file, the downloading security level judging module returns an intranet downloading address to the application system; and if the file to be downloaded is a low-density file, returning an external network downloading address to the application system.

In some embodiments, the file transfer system provided by the present application further includes a download sharing module. The download sharing module is used for supporting sharing download address links.

In some embodiments, the file transfer system of the present application further comprises a download operation marking module. The downloading operation trace module is used for carrying out trace management on the historical downloading operation of the file so as to further improve the safety of file transmission.

The structure and principle of the download signature authentication module, the download security level judgment module, the download sharing module and the download operation mark-keeping module correspond to those of the file transmission method, so that the description thereof is omitted.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, or method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of modules/units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple modules or units may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules or units, which may be in electrical, mechanical or other forms.

The modules/units illustrated as separate components may or may not be physically separate, and components shown as modules/units may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules/units may be selected according to actual needs to achieve the objectives of the embodiments of the present application. For example, functional modules/units in various embodiments of the application may be integrated into one processing module, or each module/unit may exist alone physically, or two or more modules/units may be integrated into one module/unit.

Those of ordinary skill would further appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The embodiment of the application also provides a computer readable storage medium. Those of ordinary skill in the art will appreciate that all or part of the steps in a method implementing the above embodiments may be implemented by a program to instruct a processor, where the program may be stored in a computer readable storage medium, where the storage medium is a non-transitory (non-transitory) medium, such as a random access memory, a read only memory, a flash memory, a hard disk, a solid state disk, a magnetic tape (MAGNETIC TAPE), a floppy disk (floppy disk), a compact disk (optical disk), and any combination thereof. The storage media may be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a digital video disc (digital video disc, DVD)), or a semiconductor medium (e.g., a Solid State Drive (SSD)), or the like.

The embodiment of the application also provides electronic equipment. The electronic device includes a processor and a memory.

The memory is used for storing a computer program.

The memory includes: various media capable of storing program codes, such as ROM, RAM, magnetic disk, U-disk, memory card, or optical disk.

The processor is connected with the memory and is used for executing the computer program stored in the memory so as to enable the electronic equipment to execute the file transmission method.

Preferably, the processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, abbreviated as CPU), a network processor (Network Processor, abbreviated as NP), and the like; but may also be a digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit, ASIC, field programmable gate array (Field Programmable GATE ARRAY, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.

As shown in fig. 7, the electronic device of the present application is embodied in the form of a general purpose computing device. Components of an electronic device may include, but are not limited to: one or more processors or processing units 51, a memory 52, a bus 53 that connects the various system components, including the memory 52 and the processing unit 51.

Bus 53 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, micro channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.

Electronic devices typically include a variety of computer system readable media. Such media can be any available media that can be accessed by the electronic device and includes both volatile and nonvolatile media, removable and non-removable media.

Memory 52 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 521 and/or cache memory 522. The electronic device may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 523 may be used to read from or write to non-removable, non-volatile magnetic media (not shown in FIG. 7, commonly referred to as a "hard disk drive"). Although not shown in fig. 7, a magnetic disk drive for reading from and writing to a removable non-volatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable non-volatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be coupled to bus 53 through one or more data medium interfaces. Memory 52 may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of embodiments of the application.

A program/utility 524 having a set (at least one) of program modules 5241 may be stored in, for example, memory 52, such program modules 5241 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules 5241 generally perform the functions and/or methods in the described embodiments of the application.

The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, display, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any device (e.g., network card, modem, etc.) that enables the electronic device to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 54. And, the electronic device may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through the network adapter 55. As shown in fig. 7, the network adapter 55 communicates with other modules of the electronic device over the bus 53. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with an electronic device, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.

Embodiments of the present application may also provide a computer program product comprising one or more computer instructions. When the computer instructions are loaded and executed on a computing device, the processes or functions in accordance with embodiments of the present application are fully or partially developed. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, or data center to another website, computer, or data center by a wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.).

The computer program product is executed by a computer, which performs the method according to the preceding method embodiment. The computer program product may be a software installation package, which may be downloaded and executed on a computer in case the aforementioned method is required.

The application provides a file transmission method, a file transmission system, a storage medium and electronic equipment, which can effectively ensure the security of a file in the transmission process through encryption transmission, an authentication mechanism and authority verification. And secondly, the application can detect the integrity and judge whether the file is tampered in the transmission process, thereby ensuring the reality and the safety of the file transmission. And the application can perform de-duplication detection, and immediately return the resource information of the uploaded file for the uploaded file, thus improving file transmission efficiency and solving the problem of repeated storage in the service use process. Finally, according to the different file security levels, the file transmission is realized through two address types of the internal network or the external network, so that the system security is further enhanced. In the practical application process, the method can improve the file transmission efficiency by more than 20%, improve the file storage space utilization rate by more than 25%, and have great practical value.

The descriptions of the processes or structures corresponding to the drawings have emphasis, and the descriptions of other processes or structures may be referred to for the parts of a certain process or structure that are not described in detail.

The above embodiments are merely illustrative of the principles of the present application and its effectiveness, and are not intended to limit the application. Modifications and variations may be made to the above-described embodiments by those skilled in the art without departing from the spirit and scope of the application. Accordingly, it is intended that all equivalent modifications and variations of the application be covered by the claims, which are within the ordinary skill of the art, be within the spirit and scope of the present disclosure.

Claims

1. A method of file transfer, the method comprising:

Receiving an interface calling authority request sent by an application system;

decrypting the file uploading request by using the public key;

2. The file transfer method of claim 1, wherein generating an application identifier, a public key, and a private key from the interface call permission request comprises:

and distributing the public key and the private key for the application system.

3. The file transfer method according to claim 1, characterized in that the method further comprises:

Encrypting the signature string to obtain an encrypted byte array;

4. The file transfer method according to claim 1, characterized in that the method further comprises:

5. The file transfer method according to claim 1, characterized in that the method further comprises:

6. The file transfer method according to claim 1, characterized in that the method further comprises:

7. A method of file transfer, the method comprising:

Receiving an interface calling authority request sent by an application system;

Decrypting the file downloading request by using the public key;

8. The file transfer method of claim 7, wherein generating an application identifier, a public key, and a private key from the interface call permission request comprises:

and distributing the public key and the private key for the application system.

9. The file transfer method of claim 7, wherein the method further comprises:

Encrypting the signature string to obtain an encrypted byte array;

10. The file transfer method according to claim 1, characterized in that the method further comprises:

Carrying out downloading verification on the file downloading request by utilizing the resource information of the file to be downloaded, if the verification is passed, acquiring a downloading address from a storage server, and returning the downloading address to the application system; ; and if the verification is not passed, rejecting the file downloading request.

11. The file transfer method of claim 7, wherein the method further comprises:

12. A file transfer system, the system comprising:

13. A file transfer system, the system comprising:

the downloading module is used for verifying the authority of the decrypted file downloading request by utilizing the application identifier, and if the verification is passed, the downloading address of the file to be downloaded is returned to the application system; and if the verification is not passed, rejecting the file downloading request.

14. A computer readable storage medium having stored thereon a computer program, wherein the computer program is executed by a processor to implement the method of any of claims 1-6 or the method of any of claims 7-11.

15. An electronic device, comprising: a processor and a memory;

the memory is used for storing a computer program;

The processor being coupled to the memory for executing a computer program stored by the memory for causing the file transfer device to perform the method of any one of claims 1-6 or the method of any one of claims 7-11.