CN107276747A - A kind of method and system of the mobile device secure access based on protocol extension - Google Patents
A kind of method and system of the mobile device secure access based on protocol extension Download PDFInfo
- Publication number
- CN107276747A CN107276747A CN201710685845.2A CN201710685845A CN107276747A CN 107276747 A CN107276747 A CN 107276747A CN 201710685845 A CN201710685845 A CN 201710685845A CN 107276747 A CN107276747 A CN 107276747A
- Authority
- CN
- China
- Prior art keywords
- mobile device
- secure access
- protocol extension
- private key
- device based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of method of the mobile device secure access based on protocol extension, Step 1: in PATH parameter of the client to HTTP message, current time and private key string carry out MD5 calculating, form message signature field;Step 2: the same private key string to PATH parameters, current time and agreement of server carries out MD5 calculating again, the message signature field come with client transmissions is compared, and is passed through if consistent, the denied access if inconsistent.
Description
Technical field
The invention belongs to internet financial field, it is related to method and be that a kind of internet finance APP had secure access to
System.
Background technology
With being surging forward for internet finance, APP becomes the standard configuration of each internet financing corporation.Now
90% platform flow comes from mobile APP.APP has become a very important traffic ingress.But the safety of mobile device
Access control is a technological difficulties all the time.The method of existing mobile device safe access control is mainly the HTTPS by SSL
Two-way authentication is realized.The characteristics of by RSA asymmetric arithmetics, a private key is embedded in APP.With the private in communication process
Key is encrypted, and operation then is decrypted in server end.Accessed for the client without SSL private keys.Server is direct
Refused.
The existing scheme by HTTPS client two-way authentications has the following disadvantages:
1. APP clients need to be embedded in private key certificate in needing.This security of itself to APP propose comparison it is high will
Ask, if APP is shelled, by decompiling, leakage will occur for private key certificate to cause the visit of unauthorized mobile device
Access is asked, the security to system produces destruction.
2. if using HTTPS two-way authentications, for the adaptability of the safety product of WAF, DDOS safeguard
It is poor.It can not be reinforced if the two-way authentication for employing HTTPS using DDOS and WAF, tackle surging net
When network is attacked, service end will be very fragile.
3. using if HTTPS two-way authentications, the interaction times in communication process are said than HTTPS unilateral authentication and wanted
Increase is a lot, and the influence for Consumer's Experience is very big.
The content of the invention
In order to solve above-mentioned technical problem present in prior art, the invention provides a kind of shifting based on protocol extension
The method of dynamic equipment secure access,
Step 1: in PATH parameter of the client to HTTP message, current time and private key string carry out MD5 calculating, form message
Signature field;
Step 2: the same private key string to PATH parameters, current time and agreement of server carries out MD5 calculating again, with client
Hold the message signature field transmitted to be compared, pass through if consistent, the denied access if inconsistent.
Further, step one is completed by signature computing SDK, with SO files inside Android APP, is added in the form of JNI
It is loaded in inside Android APP;To be carried in the form of dylib files inside IOS APP inside IOS APP.
Further, signature is put into HTTP message head after the completion of calculating as self-defined head.
Further, step 2 is completed by sign test filter, and sign test filter is added in nginx in the form of expansion module
It is loaded in nginx executable files.
Further, when the time is in 30 minutes before and after 0 point, calculated respectively with date and date+1 respectively, as long as one
Individual result is consistent, and sign test passes through.
Further, private key string is if desired changed, SO files and dylib files are replaced.
Further, private key string is if desired changed, the sign test filter module is directly replaced, then nginx is carried out straight
Connect compiling.
Beneficial effects of the present invention are as follows:
1. it is fully transparent to back-end services by the way that in the self-defined signature field of protocol extension, the interaction of agreement is not influenceed, can
To apply in the scene that various APP have secure access to.
2. safe access control need not be carried out to client using HTTPS bi-directional authentications, matching can be very good
Various DDOS, WAF equipment.
3. not changing the interaction of existing communication agreement, do not increase interaction times additionally.Do not have for APP Consumer's Experience
Have an impact.
4.APP clients need not include private key certificate, by loading the component cryptographic algorithm by obscuring, be signed
Field is calculated.AES is compiled using primary pattern, is cracked very big with reverse-engineering difficulty.
Brief description of the drawings
Fig. 1 is the system architecture diagram of the present invention.
Embodiment
The invention will be further described below in conjunction with the accompanying drawings.
It is a principal object of the present invention to by the way that in PATH parameter of the client to HTTP message, current time and private key string enter
Row MD5 is calculated, and forms message signature field.The same private key string to PATH parameters, current time and agreement of server enters again
Row MD5 is calculated, and the signature field come with client transmissions is compared.Let pass if consistent.If verification is wrong, clothes
Just report " 401 " mistake in business device end.So as to complete the access of unauthorized terminal.
The method of the secure access of the mobile device based on protocol extension of the present invention, including the label towards ios device are provided
Name computing SDK, signature computing SDK, the sign test filter towards Nginx towards Andriod equipment.
1. sign computing SDK
Signature computing SDK, with SO files, is carried in inside Android APP inside Android APP in the form of JNI.In IOS APP
Face is carried in the form of dylib files inside IOS APP.
The algorithm of signature is:
checksum=MD5(MD5(path+DATE+private_key))
Wherein PATH is the PATH parameters inside URL request, for example:/service/invoke service1=para1&
service2=para2
DATE parameters are that the current time form of terminal is:YYYYDDMM
Private_key is the preset parameter of both sides' agreement.
SDK function name is:string tzg_checksum(path)
Signature is put into HTTP message head, self-defined header information in HTTP message after the completion of calculating as self-defined head
For:“tzg_checksum”
For example:tzg_checksum :D6FE1D0BE6347B8EF2427FA629C04485
2. sign test filter
Sign test filter is in nginx to be carried in the form of expansion module in nginx executable files.Module is entitled:ngx_
tzg_header_filter_module.c
The algorithm of sign test is:
checksum=MD5(MD5(path+DATE+private_key))
Wherein PATH is the PATH parameters inside URL request, for example:/service/invoke service1=para1&
service2=para2
DATE(Date)Parameter is that the current time form of terminal is:YYYYDDMM
private_key(Private key string)It is the preset parameter of both sides' agreement.
Wherein when the time is in 30 minutes before and after 0 point, in order to ensure not because the date switches and causes sign test to fail.Point
Yong not DATE and DATE+1, two checksum of the two dates calculating, as long as it is correct to have one.Sign test is taken as to lead to
Cross.
The present invention has five big features, and Details as Follows:
One:The algorithm of the algorithm signature of signature is the core of this programme.The algorithm operation quantity is small, and calculating speed is fast, and the calculation
It is all different that method, which ensures that different HTTP are invoked in different time, and is calculated by 2 MD5, is effectively prevented
Dictionary attack.
Two:The function name of the function name signature of signature is of the invention as a client SDK important component
Core.After function name is decided, need to change Private Key when later(Private key string)When, as long as to SO files
Being replaced with dylib files just can be with.
Three:The algorithm of sign test;The algorithm of signature is the core of this programme.The algorithm operation quantity is small, and calculating speed is fast, and
The algorithm is effectively avoided, and when switching on the zero point date, causes sign test to fail.
Four:The function name of sign test;The module name of sign test is the core of the present invention.After module name is decided, after
When needing to change Private Key, the module is directly being replaced, then carrying out direct compilation to nginx just can be with.
Five:The head definition of signature field;It is core of the invention that the head of signature field, which is defined,.The field is signature word
Section protocol conventions in heading, it is ensured that whole verification is suitably smoothed out.
The method of existing mobile device safe access control is mainly realized by SSL HTTPS two-way authentications.This hair
It is bright to HTTP message increase privatization signature field by way of realize the access control of mobile device.
Claims (7)
1. a kind of method of the mobile device secure access based on protocol extension, it is characterised in that:
Step 1: in PATH parameter of the client to HTTP message, current time and private key string carry out MD5 calculating, form message
Signature field;
Step 2: the same private key string to PATH parameters, current time and agreement of server carries out MD5 calculating again, with client
Hold the message signature field transmitted to be compared, pass through if consistent, the denied access if inconsistent.
2. the method that the mobile device based on protocol extension has secure access to as claimed in claim 1, it is characterised in that:Step one
Completed, with SO files inside Android APP, be carried in the form of JNI inside Android APP by signature computing SDK;In IOS
It is carried in inside APP in the form of dylib files inside IOS APP.
3. the method that the mobile device based on protocol extension has secure access to as claimed in claim 2, it is characterised in that:Signature exists
After the completion of calculating, it is put into as self-defined head in HTTP message head.
4. the method that the mobile device based on protocol extension has secure access to as claimed in claim 1, it is characterised in that:Step 2
Completed by sign test filter, sign test filter is in nginx to be carried in the form of expansion module in nginx executable files.
5. the method that the mobile device based on protocol extension has secure access to as claimed in claim 4, it is characterised in that:Work as the time
In 30 minutes before and after 0 point, calculated respectively with date and date+1 respectively, as long as a result is consistent, sign test passes through.
6. the method that the mobile device based on protocol extension has secure access to as claimed in claim 2, it is characterised in that:If desired
Private key string is changed, SO files and dylib files are replaced.
7. the method that the mobile device based on protocol extension has secure access to as claimed in claim 4, it is characterised in that:If desired
Private key string is changed, the sign test filter module is directly replaced, direct compilation then is carried out to nginx.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710685845.2A CN107276747A (en) | 2017-08-11 | 2017-08-11 | A kind of method and system of the mobile device secure access based on protocol extension |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710685845.2A CN107276747A (en) | 2017-08-11 | 2017-08-11 | A kind of method and system of the mobile device secure access based on protocol extension |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107276747A true CN107276747A (en) | 2017-10-20 |
Family
ID=60077164
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710685845.2A Pending CN107276747A (en) | 2017-08-11 | 2017-08-11 | A kind of method and system of the mobile device secure access based on protocol extension |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107276747A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090141887A1 (en) * | 2007-12-03 | 2009-06-04 | Yap Kirk S | Method and apparatus for generic multi-stage nested hash processing |
CN103973703A (en) * | 2014-05-23 | 2014-08-06 | 杭州智屏科技有限公司 | Request method for safety of data exchange between application program and server |
CN105260640A (en) * | 2015-10-28 | 2016-01-20 | 南京邮电大学 | Evidence collecting system and method based on fingerprint authentication and GPS |
CN106330947A (en) * | 2016-09-06 | 2017-01-11 | 西安瀚炬网络科技有限公司 | Method and system for recognizing disguised WiFi and system working method |
CN106533658A (en) * | 2017-01-11 | 2017-03-22 | 安徽博约信息科技股份有限公司 | URL tamper-proofing signature and signature verification method based on MD5 algorithm |
-
2017
- 2017-08-11 CN CN201710685845.2A patent/CN107276747A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090141887A1 (en) * | 2007-12-03 | 2009-06-04 | Yap Kirk S | Method and apparatus for generic multi-stage nested hash processing |
CN103973703A (en) * | 2014-05-23 | 2014-08-06 | 杭州智屏科技有限公司 | Request method for safety of data exchange between application program and server |
CN105260640A (en) * | 2015-10-28 | 2016-01-20 | 南京邮电大学 | Evidence collecting system and method based on fingerprint authentication and GPS |
CN106330947A (en) * | 2016-09-06 | 2017-01-11 | 西安瀚炬网络科技有限公司 | Method and system for recognizing disguised WiFi and system working method |
CN106533658A (en) * | 2017-01-11 | 2017-03-22 | 安徽博约信息科技股份有限公司 | URL tamper-proofing signature and signature verification method based on MD5 algorithm |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110380852B (en) | Bidirectional authentication method and communication system | |
EP3318003B1 (en) | Confidential authentication and provisioning | |
CN107404461B (en) | Data secure transmission method, client and server method, device and system | |
WO2021017128A1 (en) | Login token generation method and apparatus, login token verification method and apparatus, and server | |
CN104580189B (en) | A kind of safe communication system | |
CN111460453A (en) | Machine learning training method, controller, device, server, terminal and medium | |
CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
CN105072125B (en) | A kind of http communication system and method | |
CN106454528A (en) | Service processing method based on trusted execution environment and client side | |
CN113438086A (en) | Data security protection method and system | |
CN104579679B (en) | Wireless public network data forwarding method for agriculture distribution communication equipment | |
CN107800675A (en) | A kind of data transmission method, terminal and server | |
CN105491073B (en) | Data downloading method, device and system | |
CN109670828B (en) | Application online signature method and system | |
CN110011950B (en) | Authentication method and device for video stream address | |
CN103546289A (en) | USB (universal serial bus) Key based secure data transmission method and system | |
CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
CN111181912B (en) | Browser identifier processing method and device, electronic equipment and storage medium | |
CN102811224A (en) | Method, device and system for implementation of SSL (secure socket layer)/TLS (transport layer security) connection | |
CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
CN103944724A (en) | User identity identification card | |
CN106533677B (en) | A kind of user login method, user terminal and server | |
CN109005184A (en) | File encrypting method and device, storage medium, terminal | |
GB2522445A (en) | Secure mobile wireless communications platform | |
CN109272314A (en) | A kind of safety communicating method and system cooperateing with signature calculation based on two sides |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
AD01 | Patent right deemed abandoned | ||
AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20210716 |