The content of the invention
The technical problem to be solved in the present invention is in order to overcome the security authentication mechanism of network request in the prior art safe
Property it is not high enough, easily it is under attack and perform speed it is slow, inefficient the defects of, there is provided a kind of safety of network request is recognized
Demonstrate,prove method and system.
The present invention is to solve above-mentioned technical problem by following technical proposals:
A kind of safety certifying method of network request, its feature is, comprises the following steps:
Step 1: user terminal judges whether the user logged in is to log in first, if so then execute step three, if otherwise performing
Step 2;
Step 2: user terminal determines whether the security token (i.e. secure token) for meeting first condition, if then
Perform step 6, if otherwise performing step 3, which has not timed out for security token, not less than default access times or
Have not timed out and not less than default access times;
Step 3: the user identity of the user logged in is proved that (i.e. uid) is sent to server-side by user terminal;
Step 4: server-side generates a random token, and record the user's proof of identification as the first record value (generally also
Referred to as key), default access times as the sending time of number, the user's proof of identification can be used plus default first when
Length is used as expired time and the random token, and returns to the random token (i.e. random token) and prompt user terminal to send
Formal request;
Step 5: user terminal using default security algorithm according to the user's proof of identification, the user password and should be with
Machine token generates a security token;
Step 6: user terminal sends the user's proof of identification and the security token to server-side;
Step 7: the random token and usable number and/or expired time of the user of server-side extraction record, if nothing
Record then returns to authentication failed and performs step 3;
Step 8: server-side judges whether current time can be used number whether small beyond expired time and/or judgement
In or equal to zero, the information of the user of server-side record is deleted if being to be if any judging result, and test to user terminal output
The information of failure is demonstrate,proved, and terminates security authentication process, if judging result is otherwise to perform step 9;
Step 9: first record value, the user's proof of identification, the use of server-side using the security algorithm according to record
The password at family, the random token are calculated one and refer to token, judge that this refers to the security token that token and user terminal are sent
It is whether identical, if being then proved to be successful, if otherwise performing step 10;
Step 10: server-side blocks the mac addresses of user terminal (i.e. physically within the period of a default block duration
Location).
The present invention is irreversible in the calculating involved in safety verification, even if attacker is by intercepting or having stolen Encryption Algorithm
And security token, it also can not inversely release the password of user.Also, server-side needs only to perform once safety algorithm, such as
Secure Hash Algorithm in following preferred solution, this causes whole safety verification process calculated load low and ultrahigh in efficiency.
It is preferred that the default security algorithm is Secure Hash Algorithm.Secure Hash Algorithm is commonly referred to as SHA algorithms.
Secure Hash Algorithm is a kind of algorithm made a summary to input information (such as message).Digest procedure can be completed
Following features:Different input information can never have identical fingerprint:Output of the close input information after summary
Information has larger difference, while it is difficult that production one inputs the input with identical fingerprints with given to calculate.This is also
Mean that its algorithmic procedure is irreversible, it is thus possible to effectively prevent security algorithm is reversed from cracking.
It is preferred that the password encryption to the user is further included in the default security algorithm.It is readily appreciated that ground, it is close to user
The process of code encryption is only the sub-fraction in the security algorithm, which on the whole can be by encrypted user cipher
And other information is used as during the complete computation of security algorithm together.
It is preferred that computing is encrypted to the password of the user using md5 encryption algorithm in the default security algorithm.
It is preferred that after server-side is proved to be successful, server-side responds the formal request that user terminal is sent.
It should be readily apparent to one skilled in the art that the response asked here regard the type of application environment and request, object etc. and
It is fixed.
It is preferred that step 10 further includes, server-side pipes off the mac addresses of user terminal, and sends a network and attack
Hit alarm.Thus, the network operator of server-side or owner (such as Internet service provider) are able to more positive and stronger
Tackle network attack in ground.
Present invention also offers a kind of security authentication systems of network request, including server-side and user terminal.Wherein, use
Family end and server-side are by performing safe verification method as described above, to complete the safety verification of network request.
On the basis of common knowledge of the art, above-mentioned each optimum condition, can be combined, each preferably real up to the present invention
Example.
The positive effect of the present invention is:
The safety certifying method and system of the network request of the present invention can respond the request of user, refuse asking for attacker
Ask, safe class can also be set according to security situation, and execution is very efficient, being capable of compromise between security and execution speed and effect
Rate.
Embodiment 1
Refering to what is shown in Fig. 1, the safety certifying method of the network request of the present embodiment, comprises the following steps:
Step 1: user terminal judges whether the user logged in is to log in first, if so then execute step three, if otherwise performing
Step 2;
Step 2: user terminal determines whether the security token (i.e. secure token) for meeting first condition, if then
Perform step 6, if otherwise performing step 3, which has not timed out for security token, not less than default access times or
Have not timed out and not less than default access times;
Step 3: the user identity of the user logged in is proved that (i.e. uid) is sent to server-side by user terminal;
Step 4: server-side generates a random token, and record the user's proof of identification as the first record value (generally also
Referred to as key), default access times as the sending time of number, the user's proof of identification can be used plus default first when
Length is used as expired time and the random token, and returns to the random token (i.e. random token) and prompt user terminal to send
Formal request;
Step 5: user terminal using default security algorithm according to the user's proof of identification, the user password and should be with
Machine token generates a security token;
Step 6: user terminal sends the user's proof of identification and the security token to server-side;
Step 7: the random token and usable number and/or expired time of the user of server-side extraction record, if nothing
Record then returns to authentication failed and performs step 3;
Step 8: server-side judges whether current time can be used number whether small beyond expired time and/or judgement
In or equal to zero, the information of the user of server-side record is deleted if being to be if any judging result, and test to user terminal output
The information of failure is demonstrate,proved, and terminates security authentication process, if judging result is otherwise to perform step 9;
Step 9: first record value, the user's proof of identification, the use of server-side using the security algorithm according to record
The password at family, the random token are calculated one and refer to token, judge that this refers to the security token that token and user terminal are sent
It is whether identical, if being then proved to be successful, if otherwise performing step 10;
Step 10: server-side blocks the mac addresses of user terminal (i.e. physically within the period of a default block duration
Location), server-side pipes off the mac addresses of user terminal, and sends network attack alarm.
Wherein, which is Secure Hash Algorithm, i.e. SHA algorithms.Further included in the Secure Hash Algorithm using MD5
Password encryption of the Encryption Algorithm to the user.After server-side is proved to be successful, server-side response user terminal send this formally please
Ask.