CN107276747A - A kind of method and system of the mobile device secure access based on protocol extension - Google Patents

A kind of method and system of the mobile device secure access based on protocol extension Download PDF

Info

Publication number
CN107276747A
CN107276747A CN201710685845.2A CN201710685845A CN107276747A CN 107276747 A CN107276747 A CN 107276747A CN 201710685845 A CN201710685845 A CN 201710685845A CN 107276747 A CN107276747 A CN 107276747A
Authority
CN
China
Prior art keywords
mobile device
secure access
protocol extension
private key
device based
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710685845.2A
Other languages
Chinese (zh)
Inventor
裘宏骏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Copper Internet Nationwide Financial Services Inc
Original Assignee
Hangzhou Copper Internet Nationwide Financial Services Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Copper Internet Nationwide Financial Services Inc filed Critical Hangzhou Copper Internet Nationwide Financial Services Inc
Priority to CN201710685845.2A priority Critical patent/CN107276747A/en
Publication of CN107276747A publication Critical patent/CN107276747A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of method of the mobile device secure access based on protocol extension, Step 1: in PATH parameter of the client to HTTP message, current time and private key string carry out MD5 calculating, form message signature field;Step 2: the same private key string to PATH parameters, current time and agreement of server carries out MD5 calculating again, the message signature field come with client transmissions is compared, and is passed through if consistent, the denied access if inconsistent.

Description

A kind of method and system of the mobile device secure access based on protocol extension
Technical field
The invention belongs to internet financial field, it is related to method and be that a kind of internet finance APP had secure access to System.
Background technology
With being surging forward for internet finance, APP becomes the standard configuration of each internet financing corporation.Now 90% platform flow comes from mobile APP.APP has become a very important traffic ingress.But the safety of mobile device Access control is a technological difficulties all the time.The method of existing mobile device safe access control is mainly the HTTPS by SSL Two-way authentication is realized.The characteristics of by RSA asymmetric arithmetics, a private key is embedded in APP.With the private in communication process Key is encrypted, and operation then is decrypted in server end.Accessed for the client without SSL private keys.Server is direct Refused.
The existing scheme by HTTPS client two-way authentications has the following disadvantages:
1. APP clients need to be embedded in private key certificate in needing.This security of itself to APP propose comparison it is high will Ask, if APP is shelled, by decompiling, leakage will occur for private key certificate to cause the visit of unauthorized mobile device Access is asked, the security to system produces destruction.
2. if using HTTPS two-way authentications, for the adaptability of the safety product of WAF, DDOS safeguard It is poor.It can not be reinforced if the two-way authentication for employing HTTPS using DDOS and WAF, tackle surging net When network is attacked, service end will be very fragile.
3. using if HTTPS two-way authentications, the interaction times in communication process are said than HTTPS unilateral authentication and wanted Increase is a lot, and the influence for Consumer's Experience is very big.
The content of the invention
In order to solve above-mentioned technical problem present in prior art, the invention provides a kind of shifting based on protocol extension The method of dynamic equipment secure access,
Step 1: in PATH parameter of the client to HTTP message, current time and private key string carry out MD5 calculating, form message Signature field;
Step 2: the same private key string to PATH parameters, current time and agreement of server carries out MD5 calculating again, with client Hold the message signature field transmitted to be compared, pass through if consistent, the denied access if inconsistent.
Further, step one is completed by signature computing SDK, with SO files inside Android APP, is added in the form of JNI It is loaded in inside Android APP;To be carried in the form of dylib files inside IOS APP inside IOS APP.
Further, signature is put into HTTP message head after the completion of calculating as self-defined head.
Further, step 2 is completed by sign test filter, and sign test filter is added in nginx in the form of expansion module It is loaded in nginx executable files.
Further, when the time is in 30 minutes before and after 0 point, calculated respectively with date and date+1 respectively, as long as one Individual result is consistent, and sign test passes through.
Further, private key string is if desired changed, SO files and dylib files are replaced.
Further, private key string is if desired changed, the sign test filter module is directly replaced, then nginx is carried out straight Connect compiling.
Beneficial effects of the present invention are as follows:
1. it is fully transparent to back-end services by the way that in the self-defined signature field of protocol extension, the interaction of agreement is not influenceed, can To apply in the scene that various APP have secure access to.
2. safe access control need not be carried out to client using HTTPS bi-directional authentications, matching can be very good Various DDOS, WAF equipment.
3. not changing the interaction of existing communication agreement, do not increase interaction times additionally.Do not have for APP Consumer's Experience Have an impact.
4.APP clients need not include private key certificate, by loading the component cryptographic algorithm by obscuring, be signed Field is calculated.AES is compiled using primary pattern, is cracked very big with reverse-engineering difficulty.
Brief description of the drawings
Fig. 1 is the system architecture diagram of the present invention.
Embodiment
The invention will be further described below in conjunction with the accompanying drawings.
It is a principal object of the present invention to by the way that in PATH parameter of the client to HTTP message, current time and private key string enter Row MD5 is calculated, and forms message signature field.The same private key string to PATH parameters, current time and agreement of server enters again Row MD5 is calculated, and the signature field come with client transmissions is compared.Let pass if consistent.If verification is wrong, clothes Just report " 401 " mistake in business device end.So as to complete the access of unauthorized terminal.
The method of the secure access of the mobile device based on protocol extension of the present invention, including the label towards ios device are provided Name computing SDK, signature computing SDK, the sign test filter towards Nginx towards Andriod equipment.
1. sign computing SDK
Signature computing SDK, with SO files, is carried in inside Android APP inside Android APP in the form of JNI.In IOS APP Face is carried in the form of dylib files inside IOS APP.
The algorithm of signature is:
checksum=MD5(MD5(path+DATE+private_key))
Wherein PATH is the PATH parameters inside URL request, for example:/service/invoke service1=para1& service2=para2
DATE parameters are that the current time form of terminal is:YYYYDDMM
Private_key is the preset parameter of both sides' agreement.
SDK function name is:string tzg_checksum(path)
Signature is put into HTTP message head, self-defined header information in HTTP message after the completion of calculating as self-defined head For:“tzg_checksum”
For example:tzg_checksum :D6FE1D0BE6347B8EF2427FA629C04485
2. sign test filter
Sign test filter is in nginx to be carried in the form of expansion module in nginx executable files.Module is entitled:ngx_ tzg_header_filter_module.c
The algorithm of sign test is:
checksum=MD5(MD5(path+DATE+private_key))
Wherein PATH is the PATH parameters inside URL request, for example:/service/invoke service1=para1& service2=para2
DATE(Date)Parameter is that the current time form of terminal is:YYYYDDMM
private_key(Private key string)It is the preset parameter of both sides' agreement.
Wherein when the time is in 30 minutes before and after 0 point, in order to ensure not because the date switches and causes sign test to fail.Point Yong not DATE and DATE+1, two checksum of the two dates calculating, as long as it is correct to have one.Sign test is taken as to lead to Cross.
The present invention has five big features, and Details as Follows:
One:The algorithm of the algorithm signature of signature is the core of this programme.The algorithm operation quantity is small, and calculating speed is fast, and the calculation It is all different that method, which ensures that different HTTP are invoked in different time, and is calculated by 2 MD5, is effectively prevented Dictionary attack.
Two:The function name of the function name signature of signature is of the invention as a client SDK important component Core.After function name is decided, need to change Private Key when later(Private key string)When, as long as to SO files Being replaced with dylib files just can be with.
Three:The algorithm of sign test;The algorithm of signature is the core of this programme.The algorithm operation quantity is small, and calculating speed is fast, and The algorithm is effectively avoided, and when switching on the zero point date, causes sign test to fail.
Four:The function name of sign test;The module name of sign test is the core of the present invention.After module name is decided, after When needing to change Private Key, the module is directly being replaced, then carrying out direct compilation to nginx just can be with.
Five:The head definition of signature field;It is core of the invention that the head of signature field, which is defined,.The field is signature word Section protocol conventions in heading, it is ensured that whole verification is suitably smoothed out.
The method of existing mobile device safe access control is mainly realized by SSL HTTPS two-way authentications.This hair It is bright to HTTP message increase privatization signature field by way of realize the access control of mobile device.

Claims (7)

1. a kind of method of the mobile device secure access based on protocol extension, it is characterised in that:
Step 1: in PATH parameter of the client to HTTP message, current time and private key string carry out MD5 calculating, form message Signature field;
Step 2: the same private key string to PATH parameters, current time and agreement of server carries out MD5 calculating again, with client Hold the message signature field transmitted to be compared, pass through if consistent, the denied access if inconsistent.
2. the method that the mobile device based on protocol extension has secure access to as claimed in claim 1, it is characterised in that:Step one Completed, with SO files inside Android APP, be carried in the form of JNI inside Android APP by signature computing SDK;In IOS It is carried in inside APP in the form of dylib files inside IOS APP.
3. the method that the mobile device based on protocol extension has secure access to as claimed in claim 2, it is characterised in that:Signature exists After the completion of calculating, it is put into as self-defined head in HTTP message head.
4. the method that the mobile device based on protocol extension has secure access to as claimed in claim 1, it is characterised in that:Step 2 Completed by sign test filter, sign test filter is in nginx to be carried in the form of expansion module in nginx executable files.
5. the method that the mobile device based on protocol extension has secure access to as claimed in claim 4, it is characterised in that:Work as the time In 30 minutes before and after 0 point, calculated respectively with date and date+1 respectively, as long as a result is consistent, sign test passes through.
6. the method that the mobile device based on protocol extension has secure access to as claimed in claim 2, it is characterised in that:If desired Private key string is changed, SO files and dylib files are replaced.
7. the method that the mobile device based on protocol extension has secure access to as claimed in claim 4, it is characterised in that:If desired Private key string is changed, the sign test filter module is directly replaced, direct compilation then is carried out to nginx.
CN201710685845.2A 2017-08-11 2017-08-11 A kind of method and system of the mobile device secure access based on protocol extension Pending CN107276747A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710685845.2A CN107276747A (en) 2017-08-11 2017-08-11 A kind of method and system of the mobile device secure access based on protocol extension

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710685845.2A CN107276747A (en) 2017-08-11 2017-08-11 A kind of method and system of the mobile device secure access based on protocol extension

Publications (1)

Publication Number Publication Date
CN107276747A true CN107276747A (en) 2017-10-20

Family

ID=60077164

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710685845.2A Pending CN107276747A (en) 2017-08-11 2017-08-11 A kind of method and system of the mobile device secure access based on protocol extension

Country Status (1)

Country Link
CN (1) CN107276747A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090141887A1 (en) * 2007-12-03 2009-06-04 Yap Kirk S Method and apparatus for generic multi-stage nested hash processing
CN103973703A (en) * 2014-05-23 2014-08-06 杭州智屏科技有限公司 Request method for safety of data exchange between application program and server
CN105260640A (en) * 2015-10-28 2016-01-20 南京邮电大学 Evidence collecting system and method based on fingerprint authentication and GPS
CN106330947A (en) * 2016-09-06 2017-01-11 西安瀚炬网络科技有限公司 Method and system for recognizing disguised WiFi and system working method
CN106533658A (en) * 2017-01-11 2017-03-22 安徽博约信息科技股份有限公司 URL tamper-proofing signature and signature verification method based on MD5 algorithm

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090141887A1 (en) * 2007-12-03 2009-06-04 Yap Kirk S Method and apparatus for generic multi-stage nested hash processing
CN103973703A (en) * 2014-05-23 2014-08-06 杭州智屏科技有限公司 Request method for safety of data exchange between application program and server
CN105260640A (en) * 2015-10-28 2016-01-20 南京邮电大学 Evidence collecting system and method based on fingerprint authentication and GPS
CN106330947A (en) * 2016-09-06 2017-01-11 西安瀚炬网络科技有限公司 Method and system for recognizing disguised WiFi and system working method
CN106533658A (en) * 2017-01-11 2017-03-22 安徽博约信息科技股份有限公司 URL tamper-proofing signature and signature verification method based on MD5 algorithm

Similar Documents

Publication Publication Date Title
CN110380852B (en) Bidirectional authentication method and communication system
EP3318003B1 (en) Confidential authentication and provisioning
CN107404461B (en) Data secure transmission method, client and server method, device and system
WO2021017128A1 (en) Login token generation method and apparatus, login token verification method and apparatus, and server
CN104580189B (en) A kind of safe communication system
CN111460453A (en) Machine learning training method, controller, device, server, terminal and medium
CN110401615B (en) Identity authentication method, device, equipment, system and readable storage medium
CN105072125B (en) A kind of http communication system and method
CN106454528A (en) Service processing method based on trusted execution environment and client side
CN113438086A (en) Data security protection method and system
CN104579679B (en) Wireless public network data forwarding method for agriculture distribution communication equipment
CN107800675A (en) A kind of data transmission method, terminal and server
CN105491073B (en) Data downloading method, device and system
CN109670828B (en) Application online signature method and system
CN110011950B (en) Authentication method and device for video stream address
CN103546289A (en) USB (universal serial bus) Key based secure data transmission method and system
CN108199847B (en) Digital security processing method, computer device, and storage medium
CN111181912B (en) Browser identifier processing method and device, electronic equipment and storage medium
CN102811224A (en) Method, device and system for implementation of SSL (secure socket layer)/TLS (transport layer security) connection
CN111131416A (en) Business service providing method and device, storage medium and electronic device
CN103944724A (en) User identity identification card
CN106533677B (en) A kind of user login method, user terminal and server
CN109005184A (en) File encrypting method and device, storage medium, terminal
GB2522445A (en) Secure mobile wireless communications platform
CN109272314A (en) A kind of safety communicating method and system cooperateing with signature calculation based on two sides

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
AD01 Patent right deemed abandoned
AD01 Patent right deemed abandoned

Effective date of abandoning: 20210716