CN104468531B - The authorization method of sensitive data, device and system - Google Patents

Abstract

The present invention provides a sensitive data authorization method, device, and system, wherein the method includes: a third-party server receiving a request for sensitive data from a client, wherein the request for sensitive data carries a content request identifier; the third-party server After passing the legitimacy check on the client, a sensitive data request list is generated according to the content request ID; the third-party server notifies the user terminal of the sensitive data request list through the client; the third-party server receives the sensitive data and session ID from the cloud storage server ; Wherein, the sensitive data is obtained by the cloud storage server according to the sensitive data request list uploaded by the user terminal; the third-party server performs corresponding operations on the sensitive data according to the session identifier, and sends the operation results to the client and/or the user terminal. Through the present invention, the user's operation is simplified, and the convenience and safety of sensitive operations are improved.

Description

Authorization method, device and system for sensitive data

technical field

The present invention relates to the communication field, and in particular, relates to a sensitive data authorization method, device (such as a server, a cloud storage server, and a user terminal) and a system.

Background technique

With the development of network technology, there are more and more websites with various application functions. Usually, the application functions of these websites are only open to registered users. There is also more and more information.

When registering, you need to fill in a lot of personal information, and every time you log in, you need to enter the correct user name and password. Some websites even need to enter other authentication information. These steps involve frequent keyboard operations and high learning costs. Many Internet users (especially elderly Internet users) do not have the ability to complete these steps independently so far. Secondly, logging in, registering, and filling in personal information are high-frequency operations, but each operation requires filling in repeated information, which is very cumbersome and the user experience is poor. Third, a netizen often has dozens or even hundreds of online accounts. For the convenience of memory, many netizens only use one set (or a limited set) of account passwords, which brings huge security risks. Lost, B website will also be implicated. In addition, attack methods such as phishing websites, keyloggers, and Trojan horses make directly submitting accounts and personal information to website clients a high-risk operation.

A related technology provides a user identity verification method for scanning a two-dimensional code. In this method, the two-dimensional code server will provide the user with a special two-dimensional code for verifying whether the user's identity is legal. The user can scan the two-dimensional code to send The verification server, the verification server no longer needs to verify the user's account number and password, and directly confirms the user's identity based on the information such as the QR code. This method avoids the step of users frequently inputting identity verification information by scanning the two-dimensional code, and simplifies the verification process to a certain extent, but it still cannot solve the cumbersome operations of user registration and user privacy information filling process.

The inventor found in the research that there is a problem of frequent user participation in sensitive data operations in existing communications.

Contents of the invention

In view of this, the purpose of the embodiments of the present invention is to provide a sensitive data authorization method, device (such as server, cloud storage server, user terminal) and system, so as to simplify sensitive operations of users on the basis of secure communication.

In a first aspect, an embodiment of the present invention provides a method for authorizing sensitive data, the method comprising: a third-party server receiving a request for sensitive data from a client, wherein the request for sensitive data carries a content request identifier; the third-party server After passing the legitimacy check on the client, a sensitive data request list is generated according to the content request ID, where the sensitive data request list includes: the third-party server ID, session ID, and content request ID; the third-party server sends the sensitive data request list Notify the user terminal through the client; the third-party server receives the sensitive data and session ID from the cloud storage server; the sensitive data is obtained by the cloud storage server according to the sensitive data request list uploaded by the user terminal; the third-party server receives the session ID based on the session ID Perform corresponding operations on sensitive data, and send the operation results to the client and/or user terminal.

In the second aspect, the embodiment of the present invention also provides a sensitive data authorization method, including: the cloud storage server receives the sensitive data request list uploaded by the user terminal, wherein the sensitive data request list is a third-party server according to the sensitive data of the client The content request identifier in the request request is generated and notified to the user terminal through the client; the sensitive data request list includes: third-party server identifier, session identifier, and content request identifier; the cloud storage server The third-party server ID and content request ID obtain sensitive data; the cloud storage server sends the sensitive data and session ID to the third-party server according to the third-party server ID, so that the third-party server performs corresponding operations on the sensitive data according to the session ID.

In a third aspect, the embodiment of the present invention further provides a server, including: a request receiving module, configured to receive a request for sensitive data from a client, wherein the request for sensitive data carries a content request identifier; a list generation module, configured to After passing the legitimacy check on the client, a sensitive data request list is generated according to the content request ID, wherein the sensitive data request list includes: server ID, session ID, and content request ID; the list notification module is used to request sensitive data The list is notified to the user terminal through the client; the data receiving module is used to receive sensitive data and session identifiers from the cloud storage server; wherein, the sensitive data is obtained by the cloud storage server according to the list of sensitive data uploaded by the user terminal; sensitive data The processing module is configured to perform corresponding operations on the sensitive data according to the session identifier, and send the operation results to the client and/or user terminal.

In the fourth aspect, the embodiment of the present invention also provides a cloud storage server, including: a list receiving module, configured to receive the sensitive data request list uploaded by the user terminal, wherein the sensitive data request list is a third-party server according to the sensitive data of the client The content request ID in the request request is generated and notified to the user terminal through the client; the sensitive data request list includes: the third-party server ID, session ID, and content request ID; the sensitive data acquisition module is used to request based on the sensitive data The list acquires sensitive data; the data sending module is configured to send the sensitive data and the session ID to the third-party server according to the ID of the third-party server, so that the third-party server performs corresponding operations on the sensitive data according to the session ID.

In the fifth aspect, the embodiment of the present invention also provides an authorization system for sensitive data, including: a third-party server and a cloud storage server; wherein, the third-party server is the server provided in the third aspect above; the cloud storage server is the server provided in the above-mentioned third aspect; Cloud storage server provided in four aspects.

In the sixth aspect, the embodiment of the present invention also provides a method for authorizing sensitive data, including: a third-party server receives a request for sensitive data from a client, wherein the request for sensitive data carries a content request identifier; After the client passes the legitimacy check, it generates a sensitive data request list according to the content request ID. The sensitive data request list includes: the third-party server ID, session ID, and content request ID; the third-party server passes the sensitive data request list through The client notifies the user terminal; the third-party server receives the sensitive data and session ID from the user terminal; the sensitive data is obtained by the user terminal from the local database or the cloud storage server according to the sensitive data request list; the third-party server Identify and perform corresponding operations on sensitive data, and send the operation results to the client and/or user terminal.

In the seventh aspect, the embodiment of the present invention also provides a sensitive data authorization method, including: the user terminal receives the sensitive data request list notified by the third-party server through the client terminal, wherein the sensitive data request list is provided by the third-party server according to the client's generated by the content request identifier in the sensitive data request request from the terminal; the sensitive data request list includes: third-party server identifier, session identifier and content request identifier; the user terminal according to the third-party server identifier and content request identifier in the sensitive data request list Obtain sensitive data from a local database or a cloud storage server; the user terminal sends the sensitive data and the session ID to the third-party server according to the ID of the third-party server, so that the third-party server performs corresponding operations on the sensitive data according to the session ID.

In an eighth aspect, the embodiment of the present invention further provides a server, including: a request request receiving module, configured to receive a sensitive data request from a client, wherein the sensitive data request carries a content request identifier; a request list generation module is used to generate a sensitive data request list according to the content request ID after the client passes the legality check, wherein the sensitive data request list includes: server ID, session ID, and content request ID; the request list notification module is used to The sensitive data request list is notified to the user terminal through the client; the data and identification receiving module is used to receive the sensitive data and session identification from the user terminal; wherein, the sensitive data is the user terminal according to the sensitive data request list from the local database or from Acquired by the cloud storage server; the processing module is configured to perform corresponding operations on the sensitive data according to the session ID, and send the operation results to the client and/or user terminal.

In the ninth aspect, the embodiment of the present invention also provides a user terminal, including: a request list receiving module, configured to receive a sensitive data request list notified by a third-party server through the client, wherein the sensitive data request list is a third-party server Generated according to the content request identifier in the client’s sensitive data request request; the sensitive data request list includes: the third-party server’s identifier, session identifier and content request identifier; the data acquisition module is used to retrieve the list from the local database or from the sensitive data request list The cloud storage server acquires sensitive data; the data and identification sending module is configured to send the sensitive data and the session identification to the third-party server according to the identification of the third-party server, so that the third-party server performs corresponding operations on the sensitive data according to the session identification.

In the tenth aspect, the embodiment of the present invention also provides a sensitive data authorization system, including a third-party server and a user terminal, wherein the third-party server is the server provided in the eighth aspect above, and the user terminal is the server provided in the ninth aspect above. user terminal.

In the method, device, and system (such as server, cloud storage server, and user terminal) provided by the embodiments of the present invention, after receiving the request for sensitive data from the client, the third-party server triggers the user to The terminal notifies the cloud storage server to obtain the corresponding sensitive data according to the list, or triggers the user terminal to obtain the corresponding sensitive data according to the list, and sends the sensitive data to the third-party server. The entire transfer process of sensitive data does not involve the website, effectively It prevents malicious websites or viruses from intercepting sensitive data. At the same time, the transfer process of sensitive data does not require too much user participation, nor does it require users to remember the corresponding relationship between sensitive data and third-party servers, which simplifies user operations and improves the efficiency of sensitive operations. Convenience and security.

In order to make the above-mentioned objects, features and advantages of the present invention more comprehensible, preferred embodiments will be described in detail below together with the accompanying drawings.

Description of drawings

In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present invention, and thus It should be regarded as a limitation on the scope, and those skilled in the art can also obtain other related drawings based on these drawings without creative work.

FIG. 1 shows a flowchart of a method for authorizing sensitive data described from a third-party server side provided by an embodiment of the present invention;

Fig. 2 shows a flowchart of an authorization method for sensitive data described from the cloud storage server side provided by an embodiment of the present invention;

Fig. 3 shows a schematic diagram of an authorization method for sensitive data provided by an embodiment of the present invention;

FIG. 4 shows a structural block diagram of a server provided by an embodiment of the present invention;

FIG. 5 shows a structural block diagram of a cloud storage server provided by an embodiment of the present invention;

FIG. 6 shows a structural block diagram of an authorization system for sensitive data provided by an embodiment of the present invention;

FIG. 7 shows a flow chart of another method for authorizing sensitive data described from a third-party server side provided by an embodiment of the present invention;

FIG. 8 shows a flowchart of a method for authorizing sensitive data described from the user terminal side provided by an embodiment of the present invention;

FIG. 9 shows a structural block diagram of another server provided by an embodiment of the present invention;

FIG. 10 shows a structural block diagram of a user terminal provided by an embodiment of the present invention;

FIG. 11 shows a structural block diagram of another sensitive data authorization system provided by an embodiment of the present invention;

FIG. 12 shows a structural block diagram of an apparatus 120 for authorizing sensitive data provided by an embodiment of the present invention.

detailed description

The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. The components of the embodiments of the invention generally described and illustrated in the figures herein may be arranged and designed in a variety of different configurations. Accordingly, the following detailed description of the embodiments of the invention provided in the accompanying drawings is not intended to limit the scope of the claimed invention, but merely represents selected embodiments of the invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without making creative efforts belong to the protection scope of the present invention.

Considering that users often need to register, log in, and fill in some personal privacy information on various websites (for example: fill in bank card or credit card information, fill in mailing address, etc.), if these data are manually completed by users, it is not only inefficient, but also easy. Intercepted by malicious websites, the security and convenience of operation are relatively low. Based on this, embodiments of the present invention provide a sensitive data authorization method, device (such as server, cloud storage server, user terminal) and system.

Referring to the flow chart of the authorization method for sensitive data shown in Figure 1, this method is described from the third-party server side as an example, including the following steps:

Step S102, the third-party server receives a request for sensitive data from the client, wherein the request for sensitive data carries a content request identifier;

After the user opens the sensitive data requesting scene through the client, the client sends a sensitive data requesting request carrying a content requesting identifier to the third-party server. The content requesting identifier is used to indicate the user's current requesting scenario, for example: the requesting scenario is one of the following: User identity registration scenarios, login authentication scenarios, or user privacy information authorization (such as filling in credit card information or filling in mailing addresses, etc.) scenarios, etc.

The client here is associated with the third-party server, which can be an application on the user terminal, or an independent terminal device, such as an ATM or access control, through which the user can access the third-party server.

Step S104, after the third-party server passes the legitimacy check on the client, it generates a sensitive data request list according to the above-mentioned content request ID, wherein the sensitive data request list includes: the third-party server ID, session ID, and content request ID .

The identifier of the third-party server can be the domain name, IP address or application key AppKey of the third-party server; the session identifier can be a string of random numbers or a time hash value; in addition, the request list for sensitive data can also include a Group metadata, which may include information such as field names and format requirements of sensitive data. Or the third-party server and the device that provides sensitive data can also adopt a pre-agreement method, that is, each content request identifier corresponds to its own field name and format requirements. As long as the two determine the content request identifier, the sensitive data can be constructed in compliance with the regulations. , so the request list for sensitive data may not carry the above metadata.

The third-party server can use the existing verification method to verify the legitimacy of the client. For an illegal client, the third-party server will directly terminate the service requested by it.

Step S106, the third-party server notifies the user terminal of the sensitive data request list through the above-mentioned client;

The specific method for the third-party server to notify the request list of sensitive data can be one of the following methods:

(1) The third-party server converts the sensitive data request list into a corresponding code pattern, and displays the code pattern to the user terminal through the client terminal, so that the user terminal parses the code pattern to obtain the sensitive data request list;

(2) The third-party server sends the sensitive data request list to the client in text form, triggering the client to convert the received sensitive data request list in text form into a corresponding code pattern and display it to the user terminal, so that the user The terminal parses the code pattern to obtain the sensitive data request list;

Wherein, the above-mentioned code pattern includes one of the following: two-dimensional code, three-dimensional code, four-dimensional code or barcode and the like.

Take the conversion of the sensitive data request list into a QR code as an example. The conversion operation can be performed by a third-party server, that is, the third-party server converts the sensitive data request list into a QR code and sends the QR code to the client. Display the QR code to the user, and the user scans the QR code through the user terminal to parse out the sensitive data request list; another way is to convert the client, that is, the third-party server sends the sensitive data request list in text form To the client, after the client receives the sensitive data request list in text form, it converts the sensitive data request list in text form into a QR code and displays it to the user, and the user scans the QR code through the user terminal to parse out the sensitive data request list . In practical applications, one of the two modes can be selected, which is not limited in the embodiment of the present invention.

When the client shows the code pattern of the sensitive data request list to the user, the user can scan the code pattern through a user terminal (such as a mobile phone). In order to increase the security of the operation, before scanning the code pattern, the user terminal can The user's identity is verified. The verification method may include one of the following verification methods: (1) the user terminal verifies whether the biometric information of the user is legal; (2) the user terminal verifies whether the user name and password input by the user are legal; (3) the user terminal verifies whether the graphic entered by the user is valid; legitimate.

Step S108, the third-party server receives the sensitive data and session ID from the cloud storage server; wherein, the sensitive data is obtained by the cloud storage server according to the sensitive data request list uploaded by the user terminal.

The cloud storage server receives the sensitive data request list uploaded by the user terminal, obtains the corresponding sensitive data according to the identification of the third-party server and the content request identification in the sensitive data request list, and transfers the acquired sensitive data and session identification according to the identification of the third-party server sent to a third-party server.

In step S110, the third-party server performs a corresponding operation on the sensitive data according to the session identifier, and sends the operation result to the client and/or user terminal.

In the above method, after the third-party server receives the sensitive data request request from the client, it triggers the user terminal to notify the cloud storage server to send the sensitive data corresponding to the list to the third-party server by issuing a sensitive data request list. The data transmission process does not involve the website, which effectively prevents malicious websites or viruses from intercepting sensitive data. At the same time, the sensitive data transmission process does not require too much user participation, nor does it require users to remember the corresponding relationship between sensitive data and third-party servers, simplifying It improves the convenience and security of sensitive operations.

In order to enhance the effectiveness of the operation, the above-mentioned third-party server performing corresponding operations on the above-mentioned sensitive data according to the session identifier may include: the third-party server checks whether the business logic of the above-mentioned sensitive data is correct according to the session identifier, and if correct, executes the session on the sensitive data Identifies the corresponding operation. For example: business logic mainly refers to business rules, for example: when the requesting scenario for sensitive data is determined to be the user identity registration scenario or the user privacy information authorization scenario according to the session identifier, the third-party server checks whether each field of the sensitive data is legal; if legal, Determine that the business logic of sensitive data is correct; when the request scenario for sensitive data is determined to be identity login authentication based on the session identifier, the third-party server checks whether the login account and password of the sensitive data are legal, and if legal, determines that the business logic of the sensitive data is correct.

If the business logic of the third-party server checking the sensitive data is incorrect, the current operation is terminated, and a prompt message that the sensitive data is incorrect may be sent to the cloud storage server, or sent to the client or user terminal. Through the verification method of the above business logic, the third-party server can determine whether the received sensitive data is authentic and reliable, and provide guarantee for subsequent sensitive operations.

After the third-party server verifies that the business logic of the sensitive data is correct, it performs the operation corresponding to the session ID on the sensitive data. For example: when the request scenario is determined to be user identity registration according to the session identifier, the third-party server will fill in the corresponding table items one by one with the acquired sensitive data according to the preset filling format. For content, you can skip this item and leave it blank, or a third-party server can automatically generate a content to fill in this item. If it is automatically generated, you can also feed back the automatically generated content to the cloud storage server. The cloud storage server can directly Save this information, or send it to the user terminal, and save it after confirmation by the user; when the request scene is determined to be user identity login authentication according to the session ID, the third-party server sets the client to allow the user's login operation; when the request is determined based on the session ID When the scenario is user privacy information authorization, the third-party server uses the received sensitive data to set the corresponding operations on the client, such as filling in credit card information.

Referring to the flow chart of the authorization method for sensitive data shown in Figure 2, this method is described from the cloud server side as an example, including the following steps:

Step S202, the cloud storage server receives the sensitive data request list uploaded by the user terminal, wherein the sensitive data request list is generated by the third-party server according to the content request identifier in the client's sensitive data request request, and notified to the user terminal by the client ; The sensitive data request list includes: third-party server identification, session identification and content request identification; the specific content of each identification is as above, and will not be repeated here.

Step S204, the cloud storage server obtains the sensitive data according to the identification of the third-party server and the content request identification in the sensitive data request list;

On the cloud storage server, each user terminal will have different sensitive data corresponding to different third-party servers. Taking the sensitive data corresponding to the content request identifier as the login authentication data (account number and login password) as an example, user terminal 001 is in The account number of the login information of Baidu (third-party server) is Zhang San, and the login password is 123456; while the account number of user terminal 001 in the login information of Tencent is Zhang San1, and the login password is 654321; so the cloud storage server needs to target the user terminal The currently corresponding third-party server ID and content request ID obtain sensitive data.

Step S206, the cloud storage server sends the sensitive data and the session ID to the third-party server according to the ID of the third-party server, so that the third-party server performs corresponding operations on the sensitive data according to the session ID.

After the cloud server in the above method receives the request list for sensitive data uploaded by the user terminal, it obtains the corresponding sensitive data according to the contents carried in the list, and sends the sensitive data to the third-party server. The entire transfer process of sensitive data does not involve To the website, it effectively prevents malicious websites or viruses from intercepting sensitive data. At the same time, the transmission process of sensitive data does not require too much user participation, nor does it require users to remember the corresponding relationship between sensitive data and third-party servers, which simplifies user operations and improves Convenience and security for sensitive operations.

In the embodiment of the present invention, the cloud storage server can acquire sensitive data according to the identifier of the third-party server in the sensitive data request list and the content request identifier in various forms, for example: the cloud storage server obtains the sensitive data according to Identification and content request identification Determine whether there is corresponding sensitive data in the cloud storage database, if yes, extract the sensitive data from the cloud storage database; if not, the cloud storage server requests according to the identification and content of the third-party server in the sensitive data request list Identify and generate corresponding sensitive data or obtain corresponding sensitive data from the user terminal.

Considering that there are many sensitive data request scenarios in practical applications, the cloud storage server can also obtain sensitive data according to the specific request scenarios, for example: (1) When the content request identifier indicates that the requested sensitive data is user identity registration data, the cloud storage server The server generates a login password, selects the account corresponding to the user terminal from the cloud storage database, and registration information other than the login password and account number, and uses the account number, login password, and registration information other than the login password and account number as a sensitive data request list Corresponding sensitive data; (2) When the content request identifier indicates that the requested sensitive data is login authentication data, the cloud storage server searches the account and login password of the user terminal corresponding to the identifier of the third-party server from the cloud storage database, and uses the account and The login password is used as the sensitive data corresponding to the sensitive data request list; (3) When the content request identifier indicates that the requested sensitive data is privacy authorization data, the cloud storage server searches the corresponding privacy authorization data from the cloud storage database, and the privacy authorization data Sensitive data corresponding to the sensitive data request list.

In order to enhance user interaction, before the cloud storage server sends the sensitive data and the session identifier to the third-party server according to the third-party server identifier, the method further includes: the cloud storage server sends the acquired sensitive data to the user terminal, When the confirmation information returned by the user terminal is received, the step of sending the sensitive data and the session identification to the third-party server according to the identification of the third-party server is performed. If no confirmation information from the user is received, a prompt message is sent to the user terminal or other processing methods are adopted.

Considering that the user may sometimes need to update or modify the sensitive data acquired by the cloud storage server, before the cloud storage server sends the sensitive data and session identifier to the third-party server according to the identifier of the third-party server, the method may further include: the cloud storage server Send the acquired sensitive data to the user terminal for modification; the cloud storage server receives the user-modified sensitive data returned by the user terminal, and uses the modified sensitive data as the sensitive data corresponding to the finally obtained sensitive data request list, and converts the modified sensitive data Sync to cloud storage database.

Considering that there are many scenarios for requesting sensitive data, the embodiments of the present invention provide targeted optimization methods for obtaining sensitive data for different request scenarios during specific implementation:

Request Scenario 1. User identity registration

(1) When the content request identifier indicates that the request scenario for sensitive data is user identity registration, the cloud storage server generates a login password, and selects the account number of the corresponding user terminal and other registration information except the login password and account number from the cloud storage database (for example: gender, date of birth, education, mobile phone number, ID card number, etc.), send the account number, login password and other registration information to the user terminal as the initial sensitive data corresponding to the identification of the third-party server;

(2) The user terminal displays the above-mentioned initial sensitive data to the user, and waits for the user to modify or confirm the initial sensitive data;

(3) When receiving the user's modification operation, the user terminal uploads the modified sensitive data to the cloud storage server; the cloud storage server receives the modified sensitive data, and uses the modified sensitive data as an identification with the third-party server Sensitive data corresponding to the content request identifier, and synchronizing the modified sensitive data to the cloud storage database;

(4) When receiving the user's confirmation operation, the user terminal uses the above-mentioned initial sensitive data as the sensitive data corresponding to the third-party server's identifier and the content request identifier, and synchronizes the initial sensitive data to the cloud storage database.

It can be seen from this method that the user can modify the sensitive data sent by the cloud storage server, or directly confirm without modification. These sensitive data about the registration on the third-party server will be synchronized to the cloud storage database. In this database, The identity of the third-party server, the identity of the user terminal, and sensitive data related to registration can be bound and saved.

Request Scenario 2: Identity Login Authentication

(1) When the content request identifier indicates that the request scenario for sensitive data is user identity login authentication, the cloud storage server selects the account and login password of the user terminal from the cloud storage database corresponding to the identifier of the third-party server, and stores the account and login password sent to the user terminal;

(2) The user terminal displays the account number and login password to the user, and after receiving the user's confirmation operation, uploads a notification that the user has confirmed to the cloud storage server;

(3) After receiving the above notification, the cloud storage server uses the account number and login password as sensitive data corresponding to the third-party server's identification and content request identification.

Request Scenario 3. User Privacy Information Authorization

(1) When the content request identifier indicates that the requesting scenario for sensitive data is user privacy information authorization, the cloud storage server selects the privacy authorization information of the user terminal corresponding to the identification of the third-party server from the cloud storage database, and sends the privacy authorization information to the user terminal ;

(2) The user terminal displays the privacy authorization information to the user, and waits for the user to modify or confirm the privacy authorization information;

(3) When receiving the user's modification operation, the user terminal uploads the modified privacy authorization information to the cloud storage server; the cloud storage server receives the modified privacy authorization information, and uses the modified privacy authorization information as a link with the third-party server The sensitive data corresponding to the logo and content request logo, and the modified privacy authorization information is synchronized to the cloud storage database;

(4) When receiving the user's confirmation operation, the user terminal uses the above-mentioned privacy authorization information (that is, the information selected by the cloud storage server in step (1) and sent to the user terminal) as the identification with the third-party server and the content request identification Corresponding sensitive data.

Referring to the schematic diagram of the authorization method for sensitive data shown in Figure 3, the method includes the following steps:

Step S302, the user accesses the third-party client, and enters the scene of requesting sensitive data (such as logging in, registering, filling in credit card information, filling in mailing address, etc.).

Step S304, the third-party client sends the sensitive data request scene to the third-party server through HTTP or Socket (equivalent to sending a sensitive data request request to the third-party server).

In step S306, the third-party server checks the legitimacy of the third-party client (phishing website, counterfeit website, etc.), and if the third-party client is illegal, the process is directly terminated; if it is legal, step S308 is executed.

Step S308, the third-party server generates a request list for sensitive data according to the above-mentioned scenario (such as requesting content identification), the list at least includes the identification code (domain name, IP address, AppKey, etc.) of the third-party server, the identification code of the list (equivalent to the above-mentioned Session identifier, which can be a string of random numbers, or a time hash value, etc.), metadata specifying the request scenario (equivalent to the above request content identifier), which may also include field names and format requirements of sensitive data.

Step S310, the third-party server sends the sensitive data request list in the form of text or two-dimensional code (stacked, matrix, etc.) to the third-party client.

Step S312, the third-party client shows the QR code of the sensitive data request list to the user. Specifically, the third-party client loads the received two-dimensional code (or receives the text and then converts it into a two-dimensional code) into a page and displays it to the user.

Step S314, the user logs into the user's personal terminal (account and password login, biometric information login, gesture login, etc.), scans and analyzes the above-mentioned two-dimensional code, and obtains a sensitive data request list.

Step S316, the user's personal terminal sends a request list for sensitive data to the cloud storage server.

Step S318, the cloud storage server obtains the required sensitive data according to the identification code and metadata of the third-party server in the above list (the data may be incomplete at this time); for example, by retrieving the required sensitive data in the cloud storage database, if In the scenario of user identity registration, the cloud storage server can also automatically generate a login password, and add the generated login password to sensitive data.

Step S320, the cloud storage server sends the above sensitive data to the user's personal terminal;

Step S322, the user's personal terminal displays the sensitive data to the user, and the user checks the data and makes necessary modifications or supplements (for sensitive data such as screen name and motto, there may be a process of intelligently generating default data to reduce the user's thinking time), It is also possible not to modify.

In step S324, the user checks that the sensitive data is correct and clicks confirm, and the user's personal terminal sends the updated and confirmed sensitive data to the cloud storage server.

Step S326, the cloud storage server synchronizes the updated sensitive data (modified, added) to the cloud storage database.

Step S328, the cloud storage server retrieves the interface address (Web API, Web Service, etc.) of the third-party server according to the identification code in the above list.

Step S330, the cloud storage server sends the required sensitive data to the third-party server through the above-mentioned interface address.

Step S332, the third-party server receives the sensitive data and checks its business logic according to the scenario (if it is login, check the account information, if it is registration or form filling, check whether the field is legal), after the verification is passed, execute the above scenario and Action required by the business.

Step S334, the third-party server sends the operation result to the third-party client (only notifies the third-party client of a result, but does not disclose sensitive data to the third-party client).

In step S336, the third-party client completes the whole process of requesting sensitive data after receiving the result from the third-party server.

The above-mentioned third-party server can also send the inspection result to the user's personal terminal (possibly transmitted through the cloud storage server).

In the above method, the website does not touch sensitive data throughout the whole process, which effectively prevents hidden dangers such as phishing websites, keylogging Trojan horses, and viruses from intercepting sensitive data of users. Users can not touch the keyboard (including virtual keyboard) or just touch the confirmation key during the whole process. To complete the authorization of sensitive data, it is convenient and fast. Users do not need to remember the corresponding relationship between sensitive data and websites, but only need to manage their own sensitive data in the cloud storage server. At the same time, the cloud storage server is used as a centralized user sensitive data storage server, if the user terminal is lost, the user can purchase a new user terminal, and then restore its sensitive data from the cloud storage server, which has strong practicability.

Corresponding to the third-party server in the above method, an embodiment of the present invention also provides a server, the server corresponds to the above-mentioned third-party server, as shown in Figure 4, the server includes the following modules:

The request receiving module 41 is configured to receive a sensitive data request from a client, wherein the sensitive data request carries a content request identifier; the content request identifier is used to indicate the user's current request scenario, for example: the request scenario is one of the following : User identity registration scenario, login authentication scenario or user privacy information authorization (such as filling in credit card information or filling in mailing address, etc.) scenarios, etc.

The list generation module 42 is configured to generate a sensitive data request list according to the above content request identification after passing the legitimacy check of the above client, wherein the sensitive data request list includes: the server identification, session identification and the above content request identification ;

A list notification module 43, configured to notify the user terminal of the above-mentioned sensitive data request list through the above-mentioned client;

The data receiving module 44 is configured to receive sensitive data and session identifiers from the cloud storage server; wherein, the sensitive data is obtained by the cloud storage server according to the request list for sensitive data uploaded by the above-mentioned user terminal;

The sensitive data processing module 45 is configured to perform a corresponding operation on the above sensitive data according to the above session identifier, and send the operation result to the above client and/or user terminal.

After receiving the sensitive data request request from the client, the above server triggers the user terminal to notify the cloud storage server to send the sensitive data corresponding to the list to the server by issuing a sensitive data request list. The entire sensitive data transfer process does not involve To the website, it effectively prevents malicious websites or viruses from intercepting sensitive data. At the same time, the transfer process of sensitive data does not require users to participate too much, and does not require users to remember the corresponding relationship between sensitive data and servers, which simplifies user operations and improves sensitivity. Convenience and safety of operation.

The above-mentioned list notification module 43 includes: a code type conversion and delivery unit, which is used to convert the sensitive data request list into a corresponding code type, and display the code type to the user terminal through the above-mentioned client, so that the user terminal can analyze the code type to obtain Sensitive data request list; or include: a list text issuing unit, configured to send the above sensitive data request list to the client in text form, triggering the client to convert the received sensitive data request list in text form into a corresponding The code pattern is displayed to the user terminal, so that the user terminal analyzes the code pattern to obtain a sensitive data request list; wherein, the code pattern includes one of the following: two-dimensional code, three-dimensional code, four-dimensional code or barcode, etc.

The above-mentioned sensitive data processing module includes: a business logic checking unit, which is used to check whether the business logic of the sensitive data is correct according to the session identifier; a sensitive data processing unit, which is used to perform a session session on the sensitive data when the checking result of the business logic checking unit is correct. Identifies the corresponding operation.

Corresponding to the cloud storage server in the above method, an embodiment of the present invention also provides a cloud storage server, as shown in FIG. 5, the cloud storage server includes the following modules:

List receiving module 51, configured to receive the sensitive data request list uploaded by the user terminal, wherein the sensitive data request list is generated by the third-party server according to the content request identifier in the client's sensitive data request request, and notified to the user terminal through the client terminal The sensitive data request list includes: third-party server identification, session identification and content request identification;

A sensitive data acquisition module 52, configured to acquire sensitive data according to the sensitive data request list;

The data sending module 53 is configured to send the sensitive data and the session ID to the third-party server according to the ID of the third-party server, so that the third-party server performs corresponding operations on the sensitive data according to the session ID.

After the cloud server in this embodiment receives the sensitive data request list uploaded by the user terminal, it obtains the corresponding sensitive data according to the content carried in the list, and sends the sensitive data to the third-party server. The whole sensitive data transmission process does not involve To the website, it effectively prevents malicious websites or viruses from intercepting sensitive data. At the same time, the transmission process of sensitive data does not require too much user participation, nor does it require users to remember the corresponding relationship between sensitive data and third-party servers, which simplifies user operations and improves Convenience and security for sensitive operations.

Preferably, the sensitive data acquisition module 52 includes: a sensitive data judging unit, configured to judge whether there is corresponding sensitive data in the cloud storage database according to the sensitive data request list; a sensitive data extracting unit, configured to determine whether the sensitive data judging unit is Sometimes, sensitive data is extracted from the cloud storage database; the sensitive data acquisition unit is used to generate corresponding sensitive data according to the sensitive data request list or obtain the corresponding sensitive data request list from the user terminal when the judgment result of the sensitive data judgment unit is no of sensitive data.

Preferably, the sensitive data acquisition module 52 includes: a registration data acquisition unit, configured to generate a login password when the content request identifier indicates that the requested sensitive data is user identity registration data, and select an account corresponding to the user terminal from the cloud storage database, As well as registration information other than login password and account number, the account number, login password and registration information other than login password and account number are used as sensitive data corresponding to the sensitive data request list; the login authentication data acquisition unit is used for content request identification When specifying that the requested sensitive data is login authentication data, look up the account number and login password of the user terminal corresponding to the identification of the third-party server from the cloud storage database, and use the account number and login password as sensitive data corresponding to the sensitive data request list; privacy authorization data The acquisition unit is configured to search the corresponding privacy authorization data from the cloud storage database when the content request identifier indicates that the requested sensitive data is privacy authorization data, and use the privacy authorization data as sensitive data corresponding to the sensitive data request list.

The sensitive data in the embodiment of the present invention is stored in the cloud storage server. When the user needs to provide sensitive data during the interaction process, the cloud storage server obtains the corresponding sensitive data through the sensitive data request list issued by the third-party server, and sends it to the Provided to a third-party server, the operation is simple and convenient, and the transmission process of sensitive data does not touch the website, so it is safe and reliable.

Corresponding to the above method and server, an embodiment of the present invention also provides an authorization system for sensitive data, as shown in FIG. 6 , the system includes: a third-party server 40 and a cloud storage server 50; wherein, the specific structure of the third-party server can be adopted For the server structure shown in FIG. 4 , the structure of the cloud storage server 50 may refer to the cloud storage server structure shown in FIG. 5 .

After receiving the request for sensitive data from the client, the third-party server in the system triggers the user terminal to notify the cloud storage server to send the sensitive data corresponding to the list to the third-party server by issuing a sensitive data request list. The transfer process of sensitive data does not involve the website, which effectively prevents malicious websites or viruses from intercepting sensitive data. At the same time, the transfer process of sensitive data does not require too much user participation, nor does it require users to remember the corresponding relationship between sensitive data and third-party servers. This simplifies user operations and improves the convenience and security of sensitive operations.

In the above method and system, the transfer of sensitive data is completed through the cloud storage server. In practical applications, the transfer of sensitive data can also be completed directly through the user terminal. Based on this, the embodiment of the present invention also provides a sensitive data authorization method, refer to the flow chart of the sensitive data authorization method shown in Figure 7, this method is described from the third-party server side as an example, including the following steps:

Step S702, the third-party server receives a request for sensitive data from the client, where the request for sensitive data carries a content request identifier;

Step S704, after the third-party server passes the legitimacy check on the client, it generates a sensitive data request list according to the content request ID, wherein the sensitive data request list includes: the third-party server ID, session ID, and content request ID;

Step S706, the third-party server notifies the user terminal of the sensitive data request list through the client;

Step S708, the third-party server receives the sensitive data and the session identifier from the user terminal; wherein, the sensitive data is obtained by the user terminal from a local database or a cloud storage server according to the sensitive data request list;

In step S710, the third-party server performs a corresponding operation on the sensitive data according to the session ID, and sends the operation result to the client and/or user terminal.

The specific content of each identifier in this method is the same as that in the above embodiment, and will not be repeated here.

In the method of this embodiment, after receiving the request for sensitive data from the client, the third-party server triggers the user terminal to obtain the sensitive data corresponding to the list by issuing a sensitive data request list, and sends it to the third-party server , the entire sensitive data transmission process does not involve the website, which effectively prevents malicious websites or viruses from intercepting sensitive data. At the same time, the sensitive data transmission process does not require too much user participation, nor does it require users to remember the correspondence between sensitive data and third-party servers relationship, which simplifies user operations and improves the convenience and security of sensitive operations.

Referring to the flow chart of the sensitive data authorization method shown in Figure 8, the method is described from the user terminal side as an example, including the following steps:

Step S802, the user terminal receives the sensitive data request list notified by the third-party server through the client terminal, wherein the sensitive data request list is generated by the third-party server according to the content request identifier in the client's sensitive data request request; the sensitive data request list Including: third-party server identification, session identification and content request identification;

Step S804, the user terminal obtains the sensitive data from the local database or the cloud storage server according to the identification of the third-party server and the content request identification in the sensitive data request list;

Step S806, the user terminal sends the sensitive data and the session ID to the third-party server according to the ID of the third-party server, so that the third-party server performs corresponding operations on the sensitive data according to the session ID.

In the method of this embodiment, after receiving the sensitive data request list notified by the third-party server, the user terminal obtains the corresponding sensitive data according to the content carried in the list, and sends the sensitive data to the third-party server. The transmission process does not involve the website, which effectively prevents malicious websites or viruses from intercepting sensitive data. At the same time, the sensitive data transmission process does not require too much user participation, nor does it require users to remember the corresponding relationship between sensitive data and third-party servers, which simplifies user operation, which improves the convenience and security of sensitive operations.

During specific implementation, the above-mentioned user terminal receiving the sensitive data request list notified by the third-party server through the client may include: the user terminal receives the code pattern of the sensitive data request list through the client; The sensitive data request list is generated, including one of the following: two-dimensional code, three-dimensional code, four-dimensional code or barcode; the user terminal parses the code pattern to obtain the sensitive data request list.

In order to enhance security, the user terminal receives the code pattern of the sensitive data request list issued by the third-party server through the client. The pattern displayed on the client. The user terminal verifies whether the user's identity is legal, including one of the following verification methods: (1) the user terminal verifies whether the user's biometric information is legal; (2) the user terminal verifies whether the user name and password entered by the user are legal; (3) the user terminal verifies whether the user's biometric information is legal; Verify that the graphics entered by the user are legal. By adding this identity verification step, it can effectively prevent others from operating legal user terminals and stealing relevant information in the communication process.

The user terminal obtaining sensitive data from the cloud storage server may include: the user terminal sends the sensitive data request list to the cloud storage server, so that the cloud storage server searches for the sensitive data according to the identification of the third-party server and the content request identification in the sensitive data request list Or generate sensitive data according to the identification of the third-party server and the content request identification in the sensitive data request list; the user terminal receives the sensitive data issued by the cloud storage server.

Corresponding to the third-party server in the above method, an embodiment of the present invention also provides a server, see FIG. 9, the server includes the following modules:

A request request receiving module 91, configured to receive a request for sensitive data from a client, where the request for sensitive data carries a content request identifier;

The requesting list generation module 92 is configured to generate a sensitive data requesting list according to the content requesting identifier after passing the legitimacy check on the client, wherein the sensitive data requesting list includes: the identification of the server, the session identification and the content requesting identification;

The request list notification module 93 is configured to notify the user terminal of the above-mentioned sensitive data request list through the client;

The data and identification receiving module 94 is configured to receive sensitive data and session identification from the user terminal; wherein, the sensitive data is obtained by the user terminal from a local database or from a cloud storage server according to the sensitive data request list;

The processing module 95 is configured to perform a corresponding operation on the sensitive data according to the above session identifier, and send the operation result to the client and/or the user terminal.

After receiving the request for sensitive data from the client, the server in this embodiment triggers the user terminal to obtain the sensitive data corresponding to the list by issuing a request list for sensitive data, and sends it to the server. The transfer of the entire sensitive data The process does not involve the website, which effectively prevents malicious websites or viruses from intercepting sensitive data. At the same time, the transfer process of sensitive data does not require too much user participation, nor does it require users to remember the corresponding relationship between sensitive data and the server, which simplifies user operations. , improving the convenience and security of sensitive operations.

Corresponding to the above method, an embodiment of the present invention also provides a user terminal. Referring to the structural block diagram of the user terminal shown in FIG. 10, the user terminal includes the following modules:

The request list receiving module 12 is configured to receive the sensitive data request list notified by the third-party server through the client, wherein the sensitive data request list is generated by the third-party server according to the content request identifier in the client's sensitive data request request; The data request list includes: third-party server identification, session identification and content request identification;

The data acquisition module 14 is used to obtain sensitive data from a local database or from a cloud storage server according to the sensitive data request list;

The data and identifier sending module 16 is configured to send the sensitive data and the session identifier to the third-party server according to the identifier of the third-party server, so that the third-party server performs corresponding operations on the sensitive data according to the session identifier.

After receiving the sensitive data request list notified by the third-party server, the user terminal in this embodiment obtains the corresponding sensitive data according to the contents carried in the list, and sends the sensitive data to the third-party server. When it comes to websites, it effectively prevents malicious websites or viruses from intercepting sensitive data. At the same time, the transfer process of sensitive data does not require too much user participation, nor does it require users to remember the corresponding relationship between sensitive data and third-party servers, which simplifies user operations. Improved convenience and security for sensitive operations.

The user terminal may also include: a user identity verification module, configured to verify whether the user's identity is legal when receiving an instruction to enable scanning from the user; a scanning module, configured to scan the sensitive data request list when the user identity verification module verifies that the user is legal code pattern; the parsing module is used to parse the code pattern to obtain a request list for sensitive data. When the user identity verification module verifies the identity of the user, it can adopt the specific verification methods in the above methods, which will not be repeated here.

Corresponding to the above method and device (server and user terminal), an embodiment of the present invention also provides a sensitive data authorization system, the system includes a third-party server and a user terminal, wherein, the sensitive data authorization system shown in Figure 11 The block diagram of the structure, the third-party server 90 can be realized by using the server structure shown in Figure 9, and the user terminal 100 can be realized by using the structure of the user terminal shown in Figure 10, the specific functions of the third-party server and the user terminal in this system are the same as above The embodiments are similar and will not be described in detail here.

The technology provided by the above-mentioned embodiments can be applied to user identity registration, login and other private information authorization, etc. During the application process, the operation of inputting sensitive data by the user through the keyboard is avoided, and the possibility of being attacked by phishing is improved to a certain extent. At the same time, the above-mentioned The technology also converts the filling of sensitive data such as login, registration, and personal privacy information into the transmission of sensitive data. Users do not need to learn keyboard input methods to realize corresponding operations, which reduces learning costs and facilitates the use of various users. User experience.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or part of code that includes one or more Executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified function or action , or may be implemented by a combination of dedicated hardware and computer instructions.

Referring to FIG. 12 , an embodiment of the present invention also provides an authorization device 120 for sensitive data, including: a processor 20 , a memory 21 , a bus 22 and a communication interface 23 , and the processor 20 , the communication interface 23 and the memory 21 pass through the bus 22 Connection; the processor 20 is used to execute executable modules stored in the memory 21, such as computer programs.

Wherein, the memory 21 may include a high-speed random access memory (RAM: Random Access Memory), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the system network element and at least one other network element is realized through at least one communication interface 23 (which may be wired or wireless), and the Internet, wide area network, local network, metropolitan area network, etc. can be used.

The bus 22 may be an ISA bus, a PCI bus or an EISA bus, etc. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one double-headed arrow is used in FIG. 12 , but it does not mean that there is only one bus or one type of bus.

Wherein, the memory 21 is used to store the program, and the processor 20 executes the program after receiving the execution instruction, and the process-defined device (server, cloud server or user terminal) disclosed in any of the above-mentioned embodiments of the present invention The executed method may be applied to the processor 20 or implemented by the processor 20 .

The processor 20 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above-mentioned method can be completed by an integrated logic circuit of hardware in the processor 20 or instructions in the form of software. Above-mentioned processor 20 can be general-purpose processor, comprises central processing unit (Central Processing Unit, be called for short CPU), network processor (Network Processor, be called for short NP) etc.; Can also be digital signal processor (DSP), application-specific integrated circuit (ASIC), off-the-shelf programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. Various methods, steps and logic block diagrams disclosed in the embodiments of the present invention may be implemented or executed. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like. The steps of the methods disclosed in the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register. The storage medium is located in the memory 21, and the processor 20 reads the information in the memory 21, and completes the steps of the above method in combination with its hardware.

An embodiment of the present invention also provides a computer program product for performing a sensitive data authorization method, including a computer-readable storage medium storing program codes, and the instructions included in the program codes can be used to execute the methods described in the preceding method embodiments For specific implementation, refer to the method embodiments, and details are not repeated here.

Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods may be implemented in other ways. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some communication interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.

If the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes. .

The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. Should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (24)

1. A method for authorizing sensitive data, comprising:

a third-party server receives a sensitive data request from a client, wherein the sensitive data request carries a content request identification;

after the third-party server passes the validity check of the client, a sensitive data retrieval list is generated according to the content retrieval identifier, wherein the sensitive data retrieval list comprises: the identifier of the third-party server, the session identifier and the content retrieval identifier;

the third-party server informs the sensitive data retrieval list to the user terminal in a code mode through the client;

the third-party server receives the sensitive data and the session identification from the cloud storage server; the sensitive data are acquired by the cloud storage server according to the sensitive data retrieval list uploaded by the user terminal;

the third-party server executes corresponding operation on the sensitive data according to the session identification and sends an operation result to the client and/or the user terminal;

the content claim identification is used for indicating the current claim scene of the user.

2. The method of claim 1, wherein the third-party server informing the user terminal of the sensitive data retrieval list in a code pattern manner through the client comprises:

the third-party server converts the sensitive data asking list into a corresponding code pattern, and the code pattern is displayed to a user terminal through the client so that the user terminal can analyze the code pattern to obtain the sensitive data asking list; or the third-party server issues the sensitive data asking list to the client in a text form, and triggers the client to convert the received sensitive data asking list in the text form into a corresponding code pattern to be displayed to the user terminal, so that the user terminal analyzes the code pattern to obtain the sensitive data asking list;

wherein the code pattern comprises one of: two-dimensional codes, three-dimensional codes, four-dimensional codes or bar codes.

3. The method of claim 1, wherein the third-party server performing the corresponding operation on the sensitive data according to the session identifier comprises:

and the third-party server checks whether the service logic of the sensitive data is correct or not according to the session identifier, and if so, executes the operation corresponding to the session identifier on the sensitive data.

4. A method for authorizing sensitive data, comprising:

the method comprises the steps that a cloud storage server receives a sensitive data acquisition list uploaded by a user terminal, wherein the sensitive data acquisition list is generated by a third-party server according to a content acquisition identifier in a sensitive data acquisition request of a client and is notified to the user terminal through the client in a code pattern mode; the sensitive data retrieval list comprises: the identifier of the third-party server, the session identifier and the content retrieval identifier;

the cloud storage server acquires the sensitive data according to the identification of the third-party server in the sensitive data acquisition list and the content acquisition identification;

the cloud storage server sends the sensitive data and the session identification to the third-party server according to the identification of the third-party server, so that the third-party server executes corresponding operation on the sensitive data according to the session identification;

the content claim identification is used for indicating the current claim scene of the user.

5. The method of claim 4, wherein the cloud storage server obtaining the sensitive data according to the sensitive data retrieval list comprises:

the cloud storage server judges whether corresponding sensitive data exist in a cloud storage database or not according to the identification of the third-party server in the sensitive data retrieval list and the content retrieval identification, and if the corresponding sensitive data exist in the cloud storage database, the sensitive data are extracted from the cloud storage database; and if not, the cloud storage server generates corresponding sensitive data according to the identifier of the third-party server in the sensitive data retrieval list and the content retrieval identifier or acquires the corresponding sensitive data from the user terminal.

6. The method of claim 4, wherein the cloud storage server obtaining the sensitive data according to the sensitive data retrieval list comprises:

when the content asking identification indicates that the asked sensitive data is user identity registration data, the cloud storage server generates a login password, selects an account corresponding to the user terminal and registration information except the login password and the account from a cloud storage database, and takes the account, the login password and the registration information except the login password and the account as the sensitive data corresponding to the sensitive data asking list;

when the content retrieval identification indicates that the retrieved sensitive data is login authentication data, the cloud storage server searches an account and a login password of the identification, corresponding to the third-party server, of the user terminal from the cloud storage database, and takes the account and the login password as the sensitive data corresponding to the sensitive data retrieval list;

when the content retrieval identification indicates that the retrieved sensitive data is privacy authorized data, the cloud storage server searches corresponding privacy authorized data from the cloud storage database, and takes the privacy authorized data as the sensitive data corresponding to the sensitive data retrieval list.

7. The method of claim 5 or 6, wherein the method for the cloud storage server to send the sensitive data and the session identifier to the third-party server according to the identifier of the third-party server further comprises:

and the cloud storage server sends the acquired sensitive data to the user terminal, and executes the step of sending the sensitive data and the session identification to the third-party server according to the identification of the third-party server when receiving confirmation information returned by the user terminal.

8. The method according to claim 5 or 6, wherein before the cloud storage server sends the sensitive data and the session identifier to the third party server according to the identifier of the third party server, the method further comprises:

the cloud storage server sends the acquired sensitive data to the user terminal for modification;

and the cloud storage server receives the sensitive data which is returned by the user terminal and is modified by the user, takes the modified sensitive data as the sensitive data corresponding to the finally obtained sensitive data retrieval list, and synchronizes the modified sensitive data to the cloud storage database.

9. A server, comprising:

the request receiving module is used for receiving a sensitive data request from a client, wherein the sensitive data request carries a content request identification;

the list generating module is configured to generate a sensitive data retrieval list according to the content retrieval identifier after the client passes the validity check, where the sensitive data retrieval list includes: the server identifier, the session identifier and the content retrieval identifier;

the list notification module is used for notifying the sensitive data request list to the user terminal in a code mode through the client;

the data receiving module is used for receiving the sensitive data and the session identification from the cloud storage server; the sensitive data are acquired by the cloud storage server according to the sensitive data retrieval list uploaded by the user terminal;

the sensitive data processing module is used for executing corresponding operation on the sensitive data according to the session identification and sending an operation result to the client and/or the user terminal;

the content claim identification is used for indicating the current claim scene of the user.

10. The server according to claim 9, wherein the manifest notification module comprises:

the code pattern conversion and issuing unit is used for converting the sensitive data acquisition list into a corresponding code pattern, and displaying the code pattern to a user terminal through the client so that the user terminal can analyze the code pattern to obtain the sensitive data acquisition list; or,

the list text issuing unit is used for issuing the sensitive data asking list to the client in a text form, triggering the client to convert the received sensitive data asking list in the text form into a corresponding code pattern to be displayed to the user terminal, and enabling the user terminal to analyze the code pattern to obtain the sensitive data asking list;

wherein the code pattern comprises one of: two-dimensional codes, three-dimensional codes, four-dimensional codes or bar codes.

11. The server according to claim 9, wherein the sensitive data processing module comprises:

the service logic checking unit is used for checking whether the service logic of the sensitive data is correct or not according to the session identification;

and the sensitive data processing unit is used for executing the operation corresponding to the session identifier on the sensitive data when the detection result of the service logic detection unit is correct.

12. A cloud storage server, comprising:

the system comprises a list receiving module, a list sending module and a list receiving module, wherein the list receiving module is used for receiving a sensitive data request list uploaded by a user terminal, the sensitive data request list is generated by a third-party server according to a content request identifier in a sensitive data request of a client and is notified to the user terminal through the client in a code pattern mode; the sensitive data retrieval list comprises: the identifier of the third-party server, the session identifier and the content retrieval identifier;

the sensitive data acquisition module is used for acquiring sensitive data according to the sensitive data acquisition list;

the data sending module is used for sending the sensitive data and the session identifier to the third-party server according to the identifier of the third-party server so that the third-party server executes corresponding operation on the sensitive data according to the session identifier;

the content claim identification is used for indicating the current claim scene of the user.

13. The cloud storage server of claim 12, wherein the sensitive data acquisition module comprises:

the sensitive data judging unit is used for judging whether the cloud storage database has corresponding sensitive data according to the sensitive data retrieval list;

the sensitive data extracting unit is used for extracting the sensitive data from the cloud storage database when the judgment result of the sensitive data judging unit is in some cases;

and the sensitive data acquisition unit is used for generating corresponding sensitive data according to the sensitive data retrieval list or acquiring the sensitive data corresponding to the sensitive data retrieval list from the user terminal when the judgment result of the sensitive data judgment unit is negative.

14. The cloud storage server of claim 12, wherein the sensitive data acquisition module comprises:

a registration data obtaining unit, configured to generate a login password when the content pickup identifier indicates that the picked up sensitive data is user identity registration data, select an account corresponding to the user terminal and registration information other than the login password and the account from a cloud storage database, and use the account, the login password, and the registration information other than the login password and the account as the sensitive data corresponding to the sensitive data pickup list;

a login authentication data acquisition unit, configured to search, when the content pickup identifier indicates that the picked up sensitive data is login authentication data, an account and a login password of the identifier of the third-party server corresponding to the user terminal from a cloud storage database, and use the account and the login password as the sensitive data corresponding to the sensitive data pickup list;

and the privacy authorized data acquisition unit is used for searching corresponding privacy authorized data from a cloud storage database when the content retrieval identification indicates that the retrieved sensitive data is privacy authorized data, and using the privacy authorized data as the sensitive data corresponding to the sensitive data retrieval list.

15. A system for authorizing sensitive data, comprising: a third party server and a cloud storage server; wherein the third party server is as claimed in any one of claims 9 to 11; the cloud storage server as claimed in any one of claims 12 to 14.

16. A method for authorizing sensitive data, comprising:

a third-party server receives a sensitive data request from a client, wherein the sensitive data request carries a content request identification;

after the third-party server passes the validity check of the client, a sensitive data retrieval list is generated according to the content retrieval identifier, wherein the sensitive data retrieval list comprises: the identifier of the third-party server, the session identifier and the content retrieval identifier;

the third-party server informs the sensitive data retrieval list to the user terminal in a code mode through the client;

the third-party server receives sensitive data and the session identification from the user terminal; the sensitive data are acquired by the user terminal from a local database or a cloud storage server according to the sensitive data retrieval list;

the third-party server executes corresponding operation on the sensitive data according to the session identification and sends an operation result to the client and/or the user terminal;

the content claim identification is used for indicating the current claim scene of the user.

17. A method for authorizing sensitive data, comprising:

the method comprises the steps that a user terminal receives a sensitive data asking list notified by a third-party server in a code mode through a client, wherein the sensitive data asking list is generated by the third-party server according to a content asking identifier in a sensitive data asking request of the client; the sensitive data retrieval list comprises: the identifier of the third-party server, the session identifier and the content retrieval identifier;

the user terminal acquires the sensitive data from a local database or a cloud storage server according to the identifier of the third-party server and the content retrieval identifier in the sensitive data retrieval list;

the user terminal sends the sensitive data and the session identification to the third-party server according to the identification of the third-party server, so that the third-party server executes corresponding operation on the sensitive data according to the session identification;

the content claim identification is used for indicating the current claim scene of the user.

18. The method of claim 17, wherein the receiving, by the user terminal, the sensitive data solicitation list notified by the third-party server through the client comprises:

the user terminal receives the code pattern of the sensitive data request list through the client; the code pattern is generated by a third-party server or the client according to the sensitive data retrieval list, and comprises one of the following steps: two-dimensional codes, three-dimensional codes, four-dimensional codes or bar codes;

and the user terminal analyzes the code pattern to obtain the sensitive data asking list.

19. The method of claim 18, wherein the receiving, by the user terminal through the client, the code pattern of the sensitive data request list sent by the third-party server comprises:

and when the user terminal receives an instruction of starting the scanning application from the user, verifying whether the identity of the user is legal, and if so, scanning the code pattern displayed on the client.

20. The method according to claim 19, wherein the user terminal verifies whether the identity of the user is legal, comprising one of the following verification methods:

the user terminal verifies whether the biological characteristic information of the user is legal or not;

the user terminal verifies whether the user name and the password input by the user are legal or not;

and the user terminal verifies whether the graph input by the user is legal or not.

21. The method of claim 17, wherein the user terminal obtaining the sensitive data from the cloud storage server comprises:

the user terminal sends the sensitive data request list to a cloud storage server so that the cloud storage server searches for sensitive data according to the identifier of the third-party server in the sensitive data request list and the content request identifier or generates sensitive data according to the identifier of the third-party server in the sensitive data request list and the content request identifier;

and the user terminal receives the sensitive data issued by the cloud storage server.

22. A server, comprising:

the system comprises a request receiving module, a request sending module and a request receiving module, wherein the request receiving module is used for receiving a sensitive data request from a client, and the sensitive data request carries a content request identification;

the solicited list generating module is configured to generate a sensitive data solicited list according to the content solicited identifier after the client passes the validity check, where the sensitive data solicited list includes: the server identifier, the session identifier and the content retrieval identifier;

the request list notification module is used for notifying the sensitive data request list to a user terminal in a code mode through the client;

the data and identification receiving module is used for receiving sensitive data and the session identification from the user terminal; the sensitive data are acquired by the user terminal from a local database or a cloud storage server according to the sensitive data retrieval list;

the processing module is used for executing corresponding operation on the sensitive data according to the session identification and sending an operation result to the client and/or the user terminal;

the content claim identification is used for indicating the current claim scene of the user.

23. A user terminal, comprising:

the system comprises a request list receiving module, a request list sending module and a response module, wherein the request list receiving module is used for receiving a sensitive data request list notified by a third-party server in a code mode through a client, and the sensitive data request list is generated by the third-party server according to a content request identifier in a sensitive data request of the client; the sensitive data retrieval list comprises: the identifier of the third-party server, the session identifier and the content retrieval identifier;

the data acquisition module is used for acquiring the sensitive data from a local database or a cloud storage server according to the sensitive data retrieval list;

the data and identification sending module is used for sending the sensitive data and the session identification to the third-party server according to the identification of the third-party server so that the third-party server executes corresponding operation on the sensitive data according to the session identification;

the content claim identification is used for indicating the current claim scene of the user.

24. An authorization system for sensitive data, comprising a third party server and a user terminal, wherein the third party server is according to claim 22, and the user terminal is according to claim 23.