CN104980449B - The safety certifying method and system of network request - Google Patents

The safety certifying method and system of network request Download PDF

Info

Publication number
CN104980449B
CN104980449B CN201510481542.XA CN201510481542A CN104980449B CN 104980449 B CN104980449 B CN 104980449B CN 201510481542 A CN201510481542 A CN 201510481542A CN 104980449 B CN104980449 B CN 104980449B
Authority
CN
China
Prior art keywords
user
server
token
security
user terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510481542.XA
Other languages
Chinese (zh)
Other versions
CN104980449A (en
Inventor
吴鹏越
张晓媛
杨琪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ctrip Travel Network Technology Shanghai Co Ltd
Original Assignee
Shanghai Ctrip Business Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Ctrip Business Co Ltd filed Critical Shanghai Ctrip Business Co Ltd
Priority to CN201510481542.XA priority Critical patent/CN104980449B/en
Publication of CN104980449A publication Critical patent/CN104980449A/en
Application granted granted Critical
Publication of CN104980449B publication Critical patent/CN104980449B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Abstract

The invention discloses the safety certifying method and system of a kind of network request.The safety certifying method comprises the following steps:User terminal sends formal request, and the random token generated using security algorithm according to uid, password and server-side generates a security token, and uid and security token are sent to server-side;Server-side extracts the record of user, the authentication failed if no record;Server-side judges expired time and/or judges to can be used whether number is less than or equal to zero, the user information of server-side record is deleted if being to be if any judging result, authentication failed, otherwise continues;Server-side is calculated using security algorithm and refers to token and security token with reference to token, matching, and successful match is then proved to be successful.The safety certifying method and system of the network request of the present invention can respond the request of user, refuse the request of attacker, can also set safe class according to security situation, being capable of compromise between security and execution speed and efficiency.

Description

The safety certifying method and system of network request
Technical field
The present invention relates to the safety certification of network request, more particularly to a kind of safety certifying method of network request and it is System.
Background technology
The security authentication mechanism of the mainstream used at present in network mainly has two classes:Symmetric cryptography:Both sides arrange encryption and calculate Method and common key;Asymmetric encryption:Public key and Encryption Algorithm disclose, and private key is privately owned.But both current main peaces All there are some defects for full authentication mechanism.It may be cracked (Encryption Algorithm exposure) in client code, client communication may In the case of monitored, symmetric cryptography is not safe enough, and is difficult to replace key, this makes the hidden danger of its security be difficult to eliminate. Although the security of asymmetric encryption is better than the former, but still have deficiency, while it is slow to perform speed.
The content of the invention
The technical problem to be solved in the present invention is in order to overcome the security authentication mechanism of network request in the prior art safe Property it is not high enough, easily it is under attack and perform speed it is slow, inefficient the defects of, there is provided a kind of safety of network request is recognized Demonstrate,prove method and system.
The present invention is to solve above-mentioned technical problem by following technical proposals:
A kind of safety certifying method of network request, its feature is, comprises the following steps:
Step 1: user terminal judges whether the user logged in is to log in first, if so then execute step three, if otherwise performing Step 2;
Step 2: user terminal determines whether the security token (i.e. secure token) for meeting first condition, if then Perform step 6, if otherwise performing step 3, which has not timed out for security token, not less than default access times or Have not timed out and not less than default access times;
Step 3: the user identity of the user logged in is proved that (i.e. uid) is sent to server-side by user terminal;
Step 4: server-side generates a random token, and record the user's proof of identification as the first record value (generally also Referred to as key), default access times as the sending time of number, the user's proof of identification can be used plus default first when Length is used as expired time and the random token, and returns to the random token (i.e. random token) and prompt user terminal to send Formal request;
Step 5: user terminal using default security algorithm according to the user's proof of identification, the user password and should be with Machine token generates a security token;
Step 6: user terminal sends the user's proof of identification and the security token to server-side;
Step 7: the random token and usable number and/or expired time of the user of server-side extraction record, if nothing Record then returns to authentication failed and performs step 3;
Step 8: server-side judges whether current time can be used number whether small beyond expired time and/or judgement In or equal to zero, the information of the user of server-side record is deleted if being to be if any judging result, and test to user terminal output The information of failure is demonstrate,proved, and terminates security authentication process, if judging result is otherwise to perform step 9;
Step 9: first record value, the user's proof of identification, the use of server-side using the security algorithm according to record The password at family, the random token are calculated one and refer to token, judge that this refers to the security token that token and user terminal are sent It is whether identical, if being then proved to be successful, if otherwise performing step 10;
Step 10: server-side blocks the mac addresses of user terminal (i.e. physically within the period of a default block duration Location).
The present invention is irreversible in the calculating involved in safety verification, even if attacker is by intercepting or having stolen Encryption Algorithm And security token, it also can not inversely release the password of user.Also, server-side needs only to perform once safety algorithm, such as Secure Hash Algorithm in following preferred solution, this causes whole safety verification process calculated load low and ultrahigh in efficiency.
It is preferred that the default security algorithm is Secure Hash Algorithm.Secure Hash Algorithm is commonly referred to as SHA algorithms.
Secure Hash Algorithm is a kind of algorithm made a summary to input information (such as message).Digest procedure can be completed Following features:Different input information can never have identical fingerprint:Output of the close input information after summary Information has larger difference, while it is difficult that production one inputs the input with identical fingerprints with given to calculate.This is also Mean that its algorithmic procedure is irreversible, it is thus possible to effectively prevent security algorithm is reversed from cracking.
It is preferred that the password encryption to the user is further included in the default security algorithm.It is readily appreciated that ground, it is close to user The process of code encryption is only the sub-fraction in the security algorithm, which on the whole can be by encrypted user cipher And other information is used as during the complete computation of security algorithm together.
It is preferred that computing is encrypted to the password of the user using md5 encryption algorithm in the default security algorithm.
It is preferred that after server-side is proved to be successful, server-side responds the formal request that user terminal is sent.
It should be readily apparent to one skilled in the art that the response asked here regard the type of application environment and request, object etc. and It is fixed.
It is preferred that step 10 further includes, server-side pipes off the mac addresses of user terminal, and sends a network and attack Hit alarm.Thus, the network operator of server-side or owner (such as Internet service provider) are able to more positive and stronger Tackle network attack in ground.
Present invention also offers a kind of security authentication systems of network request, including server-side and user terminal.Wherein, use Family end and server-side are by performing safe verification method as described above, to complete the safety verification of network request.
On the basis of common knowledge of the art, above-mentioned each optimum condition, can be combined, each preferably real up to the present invention Example.
The positive effect of the present invention is:
The safety certifying method and system of the network request of the present invention can respond the request of user, refuse asking for attacker Ask, safe class can also be set according to security situation, and execution is very efficient, being capable of compromise between security and execution speed and effect Rate.
Brief description of the drawings
Fig. 1 is the flow chart of the safety certifying method of the network request of the embodiment of the present invention 1.
Embodiment
The present invention is further illustrated below by the mode of embodiment, but does not therefore limit the present invention to the reality Apply among a scope.
Embodiment 1
Refering to what is shown in Fig. 1, the safety certifying method of the network request of the present embodiment, comprises the following steps:
Step 1: user terminal judges whether the user logged in is to log in first, if so then execute step three, if otherwise performing Step 2;
Step 2: user terminal determines whether the security token (i.e. secure token) for meeting first condition, if then Perform step 6, if otherwise performing step 3, which has not timed out for security token, not less than default access times or Have not timed out and not less than default access times;
Step 3: the user identity of the user logged in is proved that (i.e. uid) is sent to server-side by user terminal;
Step 4: server-side generates a random token, and record the user's proof of identification as the first record value (generally also Referred to as key), default access times as the sending time of number, the user's proof of identification can be used plus default first when Length is used as expired time and the random token, and returns to the random token (i.e. random token) and prompt user terminal to send Formal request;
Step 5: user terminal using default security algorithm according to the user's proof of identification, the user password and should be with Machine token generates a security token;
Step 6: user terminal sends the user's proof of identification and the security token to server-side;
Step 7: the random token and usable number and/or expired time of the user of server-side extraction record, if nothing Record then returns to authentication failed and performs step 3;
Step 8: server-side judges whether current time can be used number whether small beyond expired time and/or judgement In or equal to zero, the information of the user of server-side record is deleted if being to be if any judging result, and test to user terminal output The information of failure is demonstrate,proved, and terminates security authentication process, if judging result is otherwise to perform step 9;
Step 9: first record value, the user's proof of identification, the use of server-side using the security algorithm according to record The password at family, the random token are calculated one and refer to token, judge that this refers to the security token that token and user terminal are sent It is whether identical, if being then proved to be successful, if otherwise performing step 10;
Step 10: server-side blocks the mac addresses of user terminal (i.e. physically within the period of a default block duration Location), server-side pipes off the mac addresses of user terminal, and sends network attack alarm.
Wherein, which is Secure Hash Algorithm, i.e. SHA algorithms.Further included in the Secure Hash Algorithm using MD5 Password encryption of the Encryption Algorithm to the user.After server-side is proved to be successful, server-side response user terminal send this formally please Ask.
Embodiment 2
The security authentication systems of the network request of the present embodiment, including server-side and user terminal.Wherein, user terminal kimonos Business end is by performing the safe verification method of embodiment 1, to complete the safety verification of network request.
Although the foregoing describing the embodiment of the present invention, it will be appreciated by those of skill in the art that these It is merely illustrative of, protection scope of the present invention is defined by the appended claims.Those skilled in the art is not carrying on the back On the premise of from the principle of the present invention and essence, various changes or modifications can be made to these embodiments, but these are changed Protection scope of the present invention is each fallen within modification.

Claims (7)

1. a kind of safety certifying method of network request, it is characterised in that comprise the following steps:
Step 1: user terminal judges whether the user logged in is to log in first, if so then execute step three, if otherwise performing step Two;
Step 2: user terminal determines whether the security token for meeting first condition, if so then execute step six, if otherwise performing Step 3, which has not timed out for security token, not less than default access times or has not timed out and not less than default use Number;
Step 3: the user identity of the user logged in is proved to send to server-side by user terminal;
Step 4: server-side generates a random token, and corresponding with the user's proof of identification the first record value is recorded, presets and makes By the use of number as can be used number, the user's proof of identification sending time plus default first duration as expired time with And the random token, and return to the random token and prompt user terminal to send formal request;
Step 5: user terminal uses default security algorithm according to the user's proof of identification, the password of the user and the random order Board generates a security token;
Step 6: user terminal sends the user's proof of identification and the security token to server-side;
Step 7: the random token and usable number and/or expired time of the user of server-side extraction record, if no record Then return to authentication failed and perform step 3;
Step 8: server-side judge current time whether beyond expired time and/or judge can be used number whether be less than or Equal to zero, the information of the user of server-side record is deleted if being to be if any judging result, and exports verification to user terminal and loses The information lost, and security authentication process is terminated, if judging result is otherwise to perform step 9;
Step 9: server-side using the security algorithm according to first record value of record, the user's proof of identification, the user Password and the random token are calculated one and refer to token, judge whether this refers to the security token that token and user terminal send It is identical, if being then proved to be successful, if otherwise performing step 10;
Step 10: server-side blocks the mac addresses of user terminal within the period of a default block duration.
2. safety certifying method as claimed in claim 1, it is characterised in that the default security algorithm is calculated for secure Hash Method.
3. safety certifying method as claimed in claim 1, it is characterised in that further included in the default security algorithm to the use The password encryption at family.
4. safety certifying method as claimed in claim 3, it is characterised in that md5 encryption is used in the default security algorithm Computing is encrypted to the password of the user in algorithm.
5. the safety certifying method as described in any one in claim 1, it is characterised in that after server-side is proved to be successful, The formal request that server-side response user terminal is sent.
6. the safety certifying method as described in any one in claim 1-5, it is characterised in that step 10 further includes, service End pipes off the mac addresses of user terminal, and sends network attack alarm.
7. a kind of security certification system of network request, including server-side and user terminal, it is characterised in that the safety certification User terminal and server-side in system perform the safety certifying method as described in any one in claim 1-6, to complete net The safety verification of network request.
CN201510481542.XA 2015-08-03 2015-08-03 The safety certifying method and system of network request Active CN104980449B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510481542.XA CN104980449B (en) 2015-08-03 2015-08-03 The safety certifying method and system of network request

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510481542.XA CN104980449B (en) 2015-08-03 2015-08-03 The safety certifying method and system of network request

Publications (2)

Publication Number Publication Date
CN104980449A CN104980449A (en) 2015-10-14
CN104980449B true CN104980449B (en) 2018-05-08

Family

ID=54276552

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510481542.XA Active CN104980449B (en) 2015-08-03 2015-08-03 The safety certifying method and system of network request

Country Status (1)

Country Link
CN (1) CN104980449B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106027469B (en) * 2016-01-21 2019-05-21 李明 The processing method and identity card cloud authentication device of authentication ids information process request
CN106302539A (en) * 2016-10-12 2017-01-04 广州市芯德电子技术有限公司 A kind of embedded type WEB safety certifying method
CN106850592B (en) * 2017-01-13 2018-11-16 咪咕视讯科技有限公司 A kind of information processing method, server and terminal
CN106980687B (en) * 2017-03-31 2020-05-22 北京奇艺世纪科技有限公司 Resource downloading system, method and crawler downloading system
CN109948333A (en) * 2019-03-08 2019-06-28 北京顺丰同城科技有限公司 A kind of safety defense method and device of account attack
CN110351333B (en) * 2019-05-30 2020-08-07 中国地质大学(武汉) Request queue method and system with verification mechanism

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5943423A (en) * 1995-12-15 1999-08-24 Entegrity Solutions Corporation Smart token system for secure electronic transactions and identification
CN103188344A (en) * 2013-02-22 2013-07-03 浪潮电子信息产业股份有限公司 Method for safely invoking REST API (representational state transfer, application programming interface)
CN103647777A (en) * 2013-12-13 2014-03-19 华为技术有限公司 Safety certificate method and bidirectional forwarding detection BFD equipment
CN103888470A (en) * 2014-04-02 2014-06-25 飞天诚信科技股份有限公司 Dynamic token synchronizing method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8621598B2 (en) * 2008-03-12 2013-12-31 Intuit Inc. Method and apparatus for securely invoking a rest API

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5943423A (en) * 1995-12-15 1999-08-24 Entegrity Solutions Corporation Smart token system for secure electronic transactions and identification
CN103188344A (en) * 2013-02-22 2013-07-03 浪潮电子信息产业股份有限公司 Method for safely invoking REST API (representational state transfer, application programming interface)
CN103647777A (en) * 2013-12-13 2014-03-19 华为技术有限公司 Safety certificate method and bidirectional forwarding detection BFD equipment
CN103888470A (en) * 2014-04-02 2014-06-25 飞天诚信科技股份有限公司 Dynamic token synchronizing method and system

Also Published As

Publication number Publication date
CN104980449A (en) 2015-10-14

Similar Documents

Publication Publication Date Title
CN104980449B (en) The safety certifying method and system of network request
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
CN111209334B (en) Power terminal data security management method based on block chain
CN104767731B (en) A kind of Restful move transactions system identity certification means of defence
US20030033523A1 (en) System and method for computer storage security
KR102152360B1 (en) System and method for providing data reliability based on blockchain for iot services
WO2017036310A1 (en) Authentication information update method and device
CN112989426B (en) Authorization authentication method and device, and resource access token acquisition method
CN108243176B (en) Data transmission method and device
CN108173827B (en) Block chain thinking-based distributed SDN control plane security authentication method
US20100235625A1 (en) Techniques and architectures for preventing sybil attacks
WO2016188335A1 (en) Access control method, apparatus and system for user data
CN109729000B (en) Instant messaging method and device
CN110222085B (en) Processing method and device for certificate storage data and storage medium
CN104754571A (en) User authentication realizing method, device and system thereof for multimedia data transmission
CN106161348A (en) A kind of method of single-sign-on, system and terminal
CN107370599A (en) A kind of management method, the device and system of remote destroying private key
CN112422477A (en) Service authentication method, server, electronic device and storage medium
CN106209793A (en) A kind of auth method and checking system
CN114584331A (en) Power distribution internet of things edge internet of things agent network security protection method and system
CN106789069A (en) A kind of zero-knowledge status authentication method
WO2015096905A1 (en) A method and apparatus for detecting that an attacker has sent one or more messages to a receiver node
CN106302539A (en) A kind of embedded type WEB safety certifying method
CN113849815A (en) Unified identity authentication platform based on zero trust and confidential calculation
WO2015081560A1 (en) Instant messaging client recognition method and recognition system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20160204

Address after: 200335 Shanghai city Changning District Admiralty Road No. 968 Building No. 16 10 floor

Applicant after: SHANGHAI XIECHENG BUSINESS CO., LTD.

Address before: 200335 Shanghai City, Changning District Fuquan Road No. 99, Ctrip network technology building

Applicant before: Ctrip computer technology (Shanghai) Co., Ltd.

GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20181221

Address after: No. 99 Fuquan Road, Changning District, Shanghai, 2003

Patentee after: Ctrip Travel Network Technology (Shanghai) Co., Ltd.

Address before: 10th Floor, Building 16, 968 Jinzhong Road, Changning District, Shanghai, 2003

Patentee before: SHANGHAI XIECHENG BUSINESS CO., LTD.