CN108737110A - A kind of data encryption and transmission method and device for anti-replay-attack - Google Patents
A kind of data encryption and transmission method and device for anti-replay-attack Download PDFInfo
- Publication number
- CN108737110A CN108737110A CN201810501127.XA CN201810501127A CN108737110A CN 108737110 A CN108737110 A CN 108737110A CN 201810501127 A CN201810501127 A CN 201810501127A CN 108737110 A CN108737110 A CN 108737110A
- Authority
- CN
- China
- Prior art keywords
- token
- service request
- request
- service
- network side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 230000005540 biological transmission Effects 0.000 title claims abstract description 54
- 238000012545 processing Methods 0.000 claims description 56
- 238000012795 verification Methods 0.000 claims description 37
- 238000010200 validation analysis Methods 0.000 claims description 18
- 238000004140 cleaning Methods 0.000 claims description 17
- 230000032683 aging Effects 0.000 claims description 13
- 241000208340 Araliaceae Species 0.000 claims 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 claims 1
- 235000003140 Panax quinquefolius Nutrition 0.000 claims 1
- 235000008434 ginseng Nutrition 0.000 claims 1
- 230000004083 survival effect Effects 0.000 claims 1
- 230000002159 abnormal effect Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 238000004590 computer program Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of data encryption and transmission method for anti-replay-attack, the method includes:It generates token and obtains request, and token acquisition request and token request URL are sent to network side;The token, which obtains request and passes through public key by one or more of UUID, service parameter and service request URL including end side parameters, carries out asymmetric encryption acquisition;The token that the network side returns is received, and service request is generated according to the token;The service request is by including that one or more of the token and the service parameter parameter carry out asymmetric encryption acquisition by public key;The service request is sent to network side;Receive the handling result to service request that the network side returns;The method and device are by being arranged multiple judgment rules, and multi-angle protects Data Encryption Transmission, and timely feedbacks exception information according to the result of the judgement, to achieve the purpose that prevent the attack patterns such as to reset, distort, forge.
Description
Technical field
The present invention relates to fields of communication technology, more particularly, to a kind of Data Encryption Transmission for anti-replay-attack
Method and device.
Background technology
With the development of network technology, network environment is more and more open, before the requirement for internet security has also reached
The height not having.Replay Attack is asked, is a kind of common computer hacking mode, it refers to that attacker sends one
The packet that destination host had received is mainly used for authentication procedures to achieve the purpose that fraud system, destroys the correct of certification
Property;Or the burden for increasing destination host, or even ingress interface is made to paralyse.The processing reset at present for request substantially divides
It is following several;It is to be judged by client time stamp first, uses the timestamp of client and the timestamp of server-side
Compare to do expired judgement;But since the time of client is that user voluntarily manages, it is possible to and the time of server-side generates
It is inconsistent.Followed by judged using the mode of client synchronization server-side timestamp, such mode is first by client and service
Then the time synchronization at end does expired judgement using the client time stamp after synchronizing with server-side timestamp comparation.It is such
Though mode can guarantee the time consistency of client and server-side.But due to the continuity of time, as long as so extremely short
Same request is continuously transmitted in time still can accomplish that request is reset, and can not strictly prevent request and reset.Also one is make
Judged with the mode of counting, such method ensures request only generally in such a way that client and server-side count
One property;It need to be counted in client and server-side storage, and do corresponding calculating.Because counting and state, the reality of system need to be preserved
Existing complexity is higher, also higher to the accuracy requirement of counting.Such method is in the case of high concurrent, it is possible to produce counts
Chaotic equivalent risk.
Invention content
Protective approach in order to solve existing for background technology to be directed to Replay Attack at present is unreliable, complexity is higher etc. asks
Topic, the present invention provides a kind of data encryption and transmission methods and device for anti-replay-attack, and the method and device pass through
It generates corresponding with this time transmission token in Data Encryption Transmission each time, and passes through authenticity to token and its characteristic
Safe and reliable transmission environment, and the generation of pre- anti-replay-attack in real time are established in verification;It is described a kind of for anti-replay-attack
Data encryption and transmission method includes:
It generates token and obtains request, and token acquisition request and token request URL are sent to network side;The order
Board obtains request and passes through public affairs by one or more of UUID, service parameter and service request URL including end side parameters
Key carries out asymmetric encryption acquisition;
The token that the network side returns is received, and service request is generated according to the token;The service request is by wrapping
It includes one or more of the token and the service parameter parameter and asymmetric encryption acquisition is carried out by public key;
The service request is sent to network side;
Receive the handling result to service request that the network side returns;
Further, the multiple parameters that service request is generated by asymmetric encryption further include random train and terminal
Side timestamp;The random train is to randomly generate, and the random train for including in different service requests is different;The end side
Timestamp record end side sends out the time of the service request;
A kind of token authentication method for anti-replay-attack Data Encryption Transmission includes:
When receiving token acquisition request, token is requested to generate according to token acquisition;The token obtains request
Asymmetric encryption life is carried out by public key by the multiple parameters of UUID, service request URL and service parameter including end side
At;
Send the token;
When receiving token, the validity of the token is verified;And by the state for the effective token having verified that
It is adjusted to invalid;
Send the result of the token validation verification;
Further, before requesting to generate token according to token acquisition, the method further includes:
The token received by private key parsing obtains request, and acquisition includes the UUID, service request URL and industry of end side
The multiple parameters for parameter of being engaged in;
Obtain server time stamp, and by server time stamp and UUID, the service request URL of the end side with
And service parameter carries out asymmetric encryption by public key, generates the token;
Further, before obtaining server time stamp, the method further includes:
It is confirmed whether that existing state corresponding with the service request is effective token;
If in the presence of effective token corresponding with the service request is back to end side;
If being not present, service timestamp is obtained, and further generate token;
Further, each in multiple tokens of storage includes corresponding default cleaning timeliness;When token is deposited
When the duration of storage is beyond its default cleaning timeliness, which is cleared up.
A kind of method for processing business for anti-replay-attack Data Encryption Transmission includes:
When receiving service request, the service request is carried out using private key corresponding with the service request public key
Decryption, obtains the token;The service request is carried out by the multiple parameters including token and service parameter by public key non-
Symmetric cryptography obtains;
It sends the token to network side and carries out validation verification;
When receiving the verification result of token, if verification result is effective, the corresponding service request of the token is handled
URL, and send the handling result;
If verification result is invalid, error message is sent;
Further, before the token being sent to token server progress validation verification, the method further includes:
The service request received is parsed, the token and the service parameter are obtained;
The token is parsed, the service parameter in the token is obtained;
The service parameter parsed in the service request is compared with the service parameter parsed in token, really
Recognize whether the two matches;
If matching, sends the token to network side and carry out validation verification;
If mismatching, error message is sent;
Further, the multiple parameters for generating the service request of the reception further include random train, and the method further includes:
When parsing the service request, confirm whether the random train that parsing obtains has existed;
If in the presence of judging the service request for Replay Attack, sending error message;
If being not present, the random train is stored with preset aging time, after beyond the aging time,
The random train is automatically deleted;
Further, the multiple parameters for generating the service request of the reception further include end side timestamp, the terminal
Side timestamp is for recording the time that end side sends out the service request;The method further includes:
When confirming whether the time difference that the time for receiving the service request records with end side timestamp is more than default
Between it is poor;
If being more than, the service request is sent out before the preset time difference, is existed by risk of attacks, is sent wrong
False information;
If being no more than, the service request is normally to be sent out in preset time difference.
A kind of Data Encryption Transmission device for anti-replay-attack includes:
Token obtains request unit, and the token obtains request unit and obtains request for generating token, and by the order
Board obtains request and token request URL is sent to network side;The token obtains request is joined by the UUID including end side, business
One or more of number and service request URL parameter carry out asymmetric encryption acquisition by public key;
Service request unit, the token that the service request unit is used to be returned according to the network side of reception generate business and ask
It asks;The service request unit is used to the service request being sent to network side;The service request is by including the token
And one or more of described service parameter parameter carries out asymmetric encryption acquisition by public key;
The service request unit is used to receive the handling result to service request that the network side returns.
Further, the service request unit by asymmetric encryption generate service request multiple parameters further include with
Machine string and end side timestamp;The random train is to randomly generate, and the random train for including in different service requests is different
's;End side timestamp record end side sends out the time of the service request.
A kind of token authentication device for anti-replay-attack Data Encryption Transmission includes:
Token obtains requesting processing, and the token obtains requesting processing for being obtained according to the token of reception
It takes and requests to generate token, and the token is sent to network side;The token obtains request by the UUID including end side, business
Request URL and the multiple parameters of service parameter carry out asymmetric encryption generation by public key;
Token processing unit, the token processing unit will have verified that for being verified to the validity of token
The state of effective token is adjusted to invalid;The token processing unit is used to send the result of the token validation verification;
Further, the token obtains requesting processing and is used to obtain request by the token that private key parsing receives,
Acquisition includes the multiple parameters of the UUID of end side, service request URL and service parameter;
The token obtains requesting processing for obtaining server time stamp, and the server time is stabbed and institute
The UUID, service request URL and service parameter for stating end side carry out asymmetric encryption by public key, generate the token;
Further, the token acquisition requesting processing is confirmed whether existing shape corresponding with the service request
State is effective token;
Further, described device further includes token cleaning unit;The token cleaning unit is for storing multiple tokens
In the default cleaning timeliness of each;The token cleaning unit is used for default beyond it to storing duration in described device
The token of cleaning timeliness is cleared up.
A kind of business processing device for anti-replay-attack Data Encryption Transmission includes:
Service request processing unit, the service request processing unit are used for by corresponding with the service request public key
Private key the service request is decrypted, obtain token;The service request is by more including token and service parameter
A parameter carries out asymmetric encryption acquisition by public key;
The service request processing unit, which is used to the token being sent to network side, carries out validation verification;
Token authentication result treatment unit, the token authentication result treatment unit is for being effective to token authentication result
Service request handled;The token authentication result treatment unit is used to according to token authentication result be invalid business
It asks to send error message to network side;
Further, the service request processing unit be used for parse reception service request, obtain the token and
The service parameter;The service request processing unit obtains the business in the token for being parsed to the token
Parameter;The service request processing unit is for parsing the service parameter parsed in the service request in token
Service parameter compared, and by matched token be sent to network side carry out validation verification;If mismatching, mistake is sent
False information;
Further, the multiple parameters for generating the service request of the reception further include random train;At the service request
When managing service request described in unit resolves, confirm whether the random train that parsing obtains has existed;At the service request
Reason unit exceeds institute for being stored with preset aging time to the random train for being judged as being not present, and in its storage time
When stating aging time, which is deleted;The service request processing unit is used for existing random according to being judged as
Corresponding service request of going here and there sends error message;
Further, the multiple parameters for generating the service request of the reception further include end side timestamp;The business
Requesting processing is for confirming whether the time difference that the time for receiving the service request records with end side timestamp surpasses
It is poor to cross preset time;And error message is sent according to the service request poor more than preset time.
Beneficial effects of the present invention are:Technical scheme of the present invention gives a kind of data for anti-replay-attack and adds
Close transmission method and device, and furthermore present a kind of token authentication method for anti-replay-attack Data Encryption Transmission and
Device and a kind of method for processing business and device for anti-replay-attack Data Encryption Transmission;It is disclosed from many aspects logical
It crosses and generates token corresponding with this time transmission in Data Encryption Transmission each time, and pass through validity, the authenticity to token
And the verification of other characteristics, establish safe and reliable transmission environment, and the generation of pre- anti-replay-attack in real time;The method and
Device protects Data Encryption Transmission by the way that multiple judgment rules, multi-angle is arranged, and according to the result of the judgement
Exception information is timely feedbacked, to achieve the purpose that prevent the attack patterns such as to reset, distort, forge.
Description of the drawings
By reference to the following drawings, exemplary embodiments of the present invention can be more fully understood by:
Fig. 1 is a kind of flow of data encryption and transmission method for anti-replay-attack of the specific embodiment of the invention
Figure;
Fig. 2 is a kind of token authentication method for anti-replay-attack Data Encryption Transmission of the specific embodiment of the invention
Flow chart;
Fig. 3 is a kind of method for processing business for anti-replay-attack Data Encryption Transmission of the specific embodiment of the invention
Flow chart;
Fig. 4 is a kind of structure of Data Encryption Transmission device for anti-replay-attack of the specific embodiment of the invention
Figure;
Fig. 5 is a kind of token authentication device for anti-replay-attack Data Encryption Transmission of the specific embodiment of the invention
Structure chart;
Fig. 6 is a kind of business processing device for anti-replay-attack Data Encryption Transmission of the specific embodiment of the invention
Structure chart;And
Fig. 7 is that the client of the specific embodiment of the invention and service server carry out anti-replay-attack Data Encryption Transmission
Structural schematic diagram.
Specific implementation mode
Exemplary embodiments of the present invention are introduced referring now to the drawings, however, the present invention can use many different shapes
Formula is implemented, and is not limited to the embodiment described herein, and to provide these embodiments be to disclose at large and fully
The present invention, and fully convey the scope of the present invention to person of ordinary skill in the field.Show for what is be illustrated in the accompanying drawings
Term in example property embodiment is not limitation of the invention.In the accompanying drawings, identical cells/elements use identical attached
Icon is remembered.
Unless otherwise indicated, term (including scientific and technical terminology) used herein has person of ordinary skill in the field
It is common to understand meaning.Further it will be understood that with the term that usually used dictionary limits, should be understood as and its
The context of related field has consistent meaning, and is not construed as Utopian or too formal meaning.
Fig. 1 is a kind of flow of data encryption and transmission method for anti-replay-attack of the specific embodiment of the invention
Figure;As shown in Figure 1, the method includes:
Step 110, it generates token and obtains request, and token acquisition request and token request URL are sent to network
Side;The token obtains request is joined by one or more of UUID, service parameter and service request URL including end side
Number carries out asymmetric encryption acquisition by public key;
The executive agent of present embodiment, the including but not limited to client of end side;And the execution mesh of present embodiment
Be designated as network side, the network side includes one or more objectives, in the present embodiment, including a token server with
An and service server;
In the present embodiment, generate token obtain request design parameter include the UUID of end side, service parameter and
Service request URL;The UUID of the end side is the Universally Unique Identifier for representing executive agent client uniqueness so that is enabled
The identification certification with executive agent identifies in board;Subsequently can by token parsing obtain UUID come confirm token come
Source;One executive agent can send out multiple tokens to execute multiple service requests, and the service parameter is for marking
This business is joined when network side is authenticated token by comparing the network service that practical business parameter and parsing obtain
Whether number unanimously confirms whether the service request has exception;The service request URL is used to build end side and network side
Connection particularly builds the connection of client and service server;And the token request URL, client and token can be built
Connection between server;
The token, which obtains, asks by carrying out asymmetric encryption acquisition by public key to above-mentioned design parameter, optional herein
The cipher mode selected includes a variety of, and those skilled in the art can voluntarily select according to actual needs, and this will not be repeated here;
Step 120, the token that the network side returns is received, and service request is generated according to the token;The business
Request is by including that one or more of the token and the service parameter parameter are obtained by public key progress asymmetric encryption
?;
The token is obtained after asking to be sent to network side, network side is completed to obtain token the parsing and processing of request
Afterwards, corresponding token is returned to the end side;
Whether the token is equivalent to the network side when carrying out business processing request authentic and valid to sending service request
Service Ticket;The token and the service parameter are subjected to asymmetric encryption by public key and obtain service request;It designs herein
Asymmetric encryption mode include a variety of, those skilled in the art can voluntarily select according to actual needs, herein still do not do it is superfluous
It states;
Further, the multiple parameters that service request is generated by asymmetric encryption further include random train and terminal
Side timestamp;The random train is to randomly generate, and the random train for including in different service requests is different;The end side
Timestamp record end side sends out the time of the service request;The random train is used in the verification of service server end include institute
Whether the service request for stating random train is Replay Attack, and the end side timestamp is used to verify the end at service server end
Whether timestamp corresponding service request in end side is newest transmission;
Step 130, the service request is sent to network side;
In the present embodiment, the service request is sent to the service server of network side;It is complete by service request URL
At the connection of client to service server;
Step 140, the handling result to service request that the network side returns is received;
By taking the present embodiment as an example, the processing request, will be described after the completion of the processing of the service server of the network side
The corresponding handling result of service request returns to the client of end side;
The handling result includes processing actual to service request, the error message of token exception feedback and has playback
The abnormal warning feedback of risk of attacks.
A kind of data encryption and transmission method for anti-replay-attack, by Data Encryption Transmission each time
Token corresponding with this time transmission is generated, and by the verification of authenticity and its characteristic to token, establishes safe and reliable biography
Defeated environment, and the generation of pre- anti-replay-attack in real time, to achieve the purpose that prevent the attack patterns such as to reset, distort, forge.
Fig. 2 is a kind of token authentication method for anti-replay-attack Data Encryption Transmission of the specific embodiment of the invention
Flow chart;As shown in Fig. 2, the method includes following two situations:
Step 201, when receiving token acquisition request, token is requested to generate according to token acquisition;The token
It is non-right that acquisition request is carried out by the multiple parameters of UUID, service request URL and service parameter including end side by public key
Encryption is claimed to generate;
Executive agent in present embodiment, the including but not limited to server of network side, particularly, the token of network side
Server;And present embodiment performance objective includes end side and network side;In the present embodiment, the end side includes visitor
Family end, the network side include a service server;
Further, before requesting to generate token according to token acquisition, the method further includes:
The token received by private key parsing obtains request, and acquisition includes the UUID, service request URL and industry of end side
The multiple parameters for parameter of being engaged in;
Obtain server time stamp, and by server time stamp and UUID, the service request URL of the end side with
And service parameter carries out asymmetric encryption by public key, generates the token;
Further, before obtaining server time stamp, the method further includes:
It is confirmed whether that existing state corresponding with the service request is effective token;
If in the presence of effective token corresponding with the service request is back to end side;
If being not present, service timestamp is obtained, and further generate token;
By taking the present embodiment as an example, when receiving token acquisition request, to obtaining request encryption use according to the token
The corresponding private key of public key, to the token, request is decrypted in the past, acquisition include UUID, the service request URL of end side with
And the multiple parameters of service parameter;
According to the service request URL and service parameter, confirms to whether there is in the token server and be corresponding to it
And state be effective token;If in the presence of without being generated again, the token is corresponding as request is obtained with token
Token be back to end side;If being not present, token is further generated;
The token is according to including token server timestamp, end side UUID, service request URL and service parameter etc.
Multiple parameters carry out asymmetric encryption by public key and obtain service request;The asymmetric encryption mode designed herein include it is a variety of,
Those skilled in the art can voluntarily select according to actual needs, not repeat still herein;
Step 202, the token is sent;
In the present embodiment, the token is sent to the client of end side by token server;
Step 230, when receiving token, the validity of the token is verified;And the effective order that will be had verified that
The state of board is adjusted to invalid;
In the present embodiment, whether the service server is authentic and valid in order to verify the service request that client is sent,
And the token is sent to token server and verifies its validity;
The token server retains the information of the token, and to institute after generating new token in server local
The status indication for stating token is effective;When token server receives token, pass through multiple token informations to locally retaining
Screening and lookup, confirm corresponding token;If the token is shown as invalid, the result of token valid is back to
Service server;If the token is shown as effective, the effective result of token is back to service server, while by the token
State it is invalid by being effectively revised as;This makes the validity of each token only be identified once, has in token authentication level
Effect prevents the generation of Replay Attack;On the other hand, if not finding the information of the token in server local, illustrate the order
Board is abnormal, this abnormal results is also returned to service server;
Step 240, the result of the token validation verification is sent;
As described above, the result of the token validation verification includes that effective token, token valid and token are abnormal;
Further, each in multiple tokens of storage includes corresponding default cleaning timeliness;When token is deposited
When the duration of storage is beyond its default cleaning timeliness, which is cleared up;
As described above, in the token server, the information of multiple tokens is stored, if what these information permanently stored
Words, with the long-play of server, the excessive useless token of storage may make token server load overweight, cause to provide
Source wastes;The method of timing cleaning is set, and the token for storing over preset time is cleared up, to ensure token memory
In storage total amount stablize.
Fig. 3 is a kind of stream of method for processing business for anti-replay-attack Data Encryption Transmission of embodiment of the present invention
Cheng Tu, as shown in figure 3, the method includes:
Step 310, when receiving service request, using private key corresponding with the service request public key to the business
Request is decrypted, and obtains the token;The service request passes through public affairs by the multiple parameters including token and service parameter
Key carries out asymmetric encryption acquisition;
Executive agent in present embodiment, the including but not limited to server of network side, particularly, the business of network side
Server;And present embodiment performance objective includes end side and network side;In the present embodiment, the end side includes visitor
Family end, the network side include a token server;
By taking the present embodiment as an example, the service request of the reception is that the client is sent out;
Further, the multiple parameters for generating the service request of the reception further include random train, and the method further includes:
When parsing the service request, confirm whether the random train that parsing obtains has existed;
If in the presence of judging the service request for Replay Attack, sending error message;
If being not present, the random train is stored with preset aging time, after beyond the aging time,
The random train is automatically deleted;
Whether it refers to confirming the random train in the industry that whether the random train for confirming that parsing obtains has existed
Server local of being engaged in is stored, because the service server can to the random train that first appears according to preset aging time into
Row storage, if when being verified to random train, it is found that the random train has existed, illustrates the random train in preset timeliness
In be not that the random train that occurs, and generate repetition in preset aging time is practically impossible to event for the first time, if therefore
This thing happens, illustrates that the service request is Replay Attack;To mitigate the load pressure of service server, in the random train
When beyond preset aging time, which is deleted;
Further, the multiple parameters for generating the service request of the reception further include end side timestamp, the terminal
Side timestamp is for recording the time that end side sends out the service request;The method further includes:
When confirming whether the time difference that the time for receiving the service request records with end side timestamp is more than default
Between it is poor;
If being more than, the service request is sent out before the preset time difference, is existed by risk of attacks, is sent wrong
False information;
If being no more than, the service request is normally to be sent out in preset time difference.
By taking the present embodiment as an example, if the time difference of the time of the service request and end side timestamp record whether
Poor more than preset time, it is to be sent out in the first time of generation, or change service request transmission to illustrate the service request not
The not now service server received in first destination;In the time difference of this long period, it is easy to which generation is such as usurped
Change content, falsified content, there are prodigious risk of attacks, feedback error information is needed to confirm in time.
Step 320, it sends the token to network side and carries out validation verification;
By taking the present embodiment as an example, the network side is token server;It is carried out when passing through random train and end side timestamp
When verification, if there is exception, that is, when there is risk of attacks, no longer need to the token being sent to token server progress validity
Verification, directly by the client of error message feedback terminal side;
Step 330, when receiving the verification result of token, if verification result is effective, it is corresponding to handle the token
Service request URL, and send the handling result;
Step 340, if verification result is invalid, error message is sent;
By taking the present embodiment as an example, the handling result is sent to the client by the service server;The mistake
Information includes that effective token, token valid and token are abnormal.
Fig. 4 is a kind of structure of Data Encryption Transmission device for anti-replay-attack of the specific embodiment of the invention
Figure;As shown in figure 4, described device includes:
Token obtains request unit 410, and the token obtains request unit 410 and obtains request for generating token, and will
The token obtains request and token request URL is sent to network side;The token obtain request by including end side UUID,
One or more of service parameter and service request URL parameter carry out asymmetric encryption acquisition by public key;
Service request unit 420, the service request unit 420 are used to be generated according to the token that the network side of reception returns
Service request;The service request unit 420 is used to the service request being sent to network side;The service request is by including
One or more of the token and the service parameter parameter carry out asymmetric encryption acquisition by public key;
The service request unit 420 is used to receive the handling result to service request that the network side returns;
Further, the service request unit 420 is also wrapped by the multiple parameters of asymmetric encryption generation service request
Include random train and end side timestamp;The random train is to randomly generate, and the random train for including in different service requests is
Different;End side timestamp record end side sends out the time of the service request.
Fig. 5 is a kind of token authentication device for anti-replay-attack Data Encryption Transmission of the specific embodiment of the invention
Structure chart;As shown in figure 5, described device includes:
Token obtains requesting processing 510, and the token obtains requesting processing 510 and is used for according to described in reception
Token acquisition requests to generate token, and sends the token to network side;The token obtains request by including end side
The multiple parameters of UUID, service request URL and service parameter carry out asymmetric encryption generation by public key;
Further, the token obtains the token acquisition that requesting processing 510 is used to receive by private key parsing and asks
It asks, acquisition includes the multiple parameters of the UUID of end side, service request URL and service parameter;
The token obtains requesting processing 510 for obtaining server time stamp, and the server time is stabbed
Asymmetric encryption is carried out by public key with the UUID, service request URL and service parameter of the end side, generates the order
Board;
Further, the token acquisition requesting processing 510 is confirmed whether existing corresponding with the service request
State be effective token;
Token processing unit 520, the token processing unit 520 are used to verify the validity of token, and will
The state of effective token of verification is adjusted to invalid;The token processing unit 520 is for sending the token validation verification
Result;
Further, described device further includes token cleaning unit 530;The token cleaning unit 530 is more for storing
The default cleaning timeliness of each in a token;The token cleaning unit 530 is used for storing duration in described device
Token beyond its default cleaning timeliness is cleared up.
Fig. 6 is a kind of business processing device for anti-replay-attack Data Encryption Transmission of the specific embodiment of the invention
Structure chart;As shown in fig. 6, described device includes:
Service request processing unit 610, the service request processing unit 610 be used for by with the service request public key
The service request is decrypted in corresponding private key, obtains token;The service request is by including that token and business are joined
Several multiple parameters carry out asymmetric encryption acquisition by public key;
The service request processing unit 610, which is used to the token being sent to network side, carries out validation verification;
Further, the service request processing unit 610 be used for parse reception service request, obtain the token with
And the service parameter;The service request processing unit 610 is obtained for being parsed to the token in the token
Service parameter;The service request processing unit 610 be used for by the service parameter parsed in the service request with enabling
The service parameter parsed in board is compared, and matched token is sent to network side and carries out validation verification;If mismatching,
Then send error message;
Further, the multiple parameters for generating the service request of the reception further include random train;At the service request
When reason unit 610 parses the service request, confirm whether the random train that parsing obtains has existed;The service request
Processing unit 610 is used to store the random train for being judged as being not present with preset aging time, and in its storage time
When beyond the aging time, which is deleted;The service request processing unit 610 is used for basis and is judged as depositing
The corresponding service request of random train send error message;
Further, the multiple parameters for generating the service request of the reception further include end side timestamp;The business
Requesting processing 610 is used to confirm whether receive time difference that time of the service request records with end side timestamp
It is poor more than preset time;And error message is sent according to the service request poor more than preset time;
Token authentication result treatment unit 620, the token authentication result treatment unit 620 are used for token authentication result
It is handled for effective service request;The token authentication result treatment unit 620 is used for basis
Invalid service request sends error message to network side.
The client of Fig. 7 invention specific implementation modes carries out the knot of anti-replay-attack Data Encryption Transmission with service server
Structure schematic diagram;As shown in fig. 7, the client sends token and obtains request and receive by being communicated with token server
To corresponding token;The token is sent to by the client when carrying out Data Encryption Transmission with service server
Service server is communicated after the service server receives the token with token server, and verifying the token is
It is no effective, and the business activities such as data transmission are completed according to verification result;Data encryption and transmission method and dress as described in Figure 7
It sets, is disclosed from many aspects by generating token corresponding with this time transmission in Data Encryption Transmission each time, and pass through
Safe and reliable transmission environment, and pre- anti-replay in real time are established in verification to the validity of token, authenticity and other characteristics
The generation of attack;The method and device protect Data Encryption Transmission by the way that multiple judgment rules, multi-angle is arranged,
And exception information is timely feedbacked according to the result of the judgement, to reach the mesh for the attack patterns such as preventing from resetting, distort, forge
's.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the disclosure
Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment
Change and they are arranged in the one or more equipment different from the embodiment.It can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, abstract and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
It replaces.Involved in this specification to the step of number be only used for distinguishing each step, and time being not limited between each step
Or the relationship of logic, restriction unless the context clearly, otherwise the relationship between each step includes various possible situations.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments means to be in the disclosure
Within the scope of and form different embodiments.For example, embodiment claimed in detail in the claims is one of arbitrary
It mode can use in any combination.
The all parts embodiment of the disclosure can be with hardware realization, or to run on one or more processors
Software module realize, or realized with combination thereof.The disclosure is also implemented as executing side as described herein
Some or all equipment or system program (for example, computer program and computer program product) of method.It is such
Realize that the program of the disclosure can may be stored on the computer-readable medium, or can be with the shape of one or more signal
Formula.Such signal can be downloaded from internet website and be obtained, and either be provided on carrier signal or with any other shape
Formula provides.
The disclosure is limited it should be noted that above-described embodiment illustrates rather than the disclosure, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.Word "comprising" is not arranged
Except there are element or steps not listed in the claims.Word "a" or "an" before element does not exclude the presence of more
A such element.The disclosure can be by means of including the hardware of several different elements and by means of properly programmed calculating
Machine is realized.If in the unit claim for listing dry systems, several in these systems can be by same
Hardware branch embodies.
The above is only the specific implementation mode of the disclosure, it is noted that for the ordinary skill people of this field
Member for, under the premise of not departing from disclosure spirit, can make several improvements, change and deform, these improve, modification,
It is regarded as falling within the scope of protection of this application with deformation.
Claims (10)
1. a kind of data encryption and transmission method for anti-replay-attack, the method includes:
It generates token and obtains request, and token acquisition request and token request URL are sent to network side;The token obtains
Take request by one or more of UUID, service parameter and service request URL including end side parameters by public key into
Row asymmetric encryption obtains;
The token that the network side returns is received, and service request is generated according to the token;The service request is by including
It states one or more of token and the service parameter parameter and asymmetric encryption acquisition is carried out by public key;
The service request is sent to network side;
Receive the handling result to service request that the network side returns.
2. a kind of token authentication method for anti-replay-attack Data Encryption Transmission, the method includes:
When receiving token acquisition request, token is requested to generate according to token acquisition;The token obtains request by wrapping
The multiple parameters of UUID, the service request URL and service parameter that include end side carry out asymmetric encryption generation by public key;
Send the token;
When receiving token, the validity of the token is verified;And the state for the effective token having verified that is adjusted
It is invalid;
Send the result of the token validation verification.
3. according to the method described in claim 2, it is characterized in that, according to the token acquisition request to generate token before, it is described
Method further includes:
The token received by private key parsing obtains request, and acquisition includes the UUID, service parameter and service request of end side
Multiple parameters in URL;
Server time stamp is obtained, and the server time is stabbed into UUID, service request URL and the industry with the end side
Parameter of being engaged in carries out asymmetric encryption by public key, generates the token.
4. according to the method described in claim 2, it is characterized in that:Each in multiple tokens of storage includes corresponding
Default cleaning timeliness;When the duration of token storage is beyond its default cleaning timeliness, which is cleared up.
5. a kind of method for processing business for anti-replay-attack Data Encryption Transmission, the method includes:
When receiving service request, the service request is solved using private key corresponding with the service request public key
It is close, obtain the token;It is non-right that the service request is carried out by the multiple parameters including token and service parameter by public key
Encryption is claimed to obtain;
It sends the token to network side and carries out validation verification;
When receiving the verification result of token, if verification result is effective, the corresponding service request URL of the token is handled,
And send the handling result;
If verification result is invalid, error message is sent.
6. according to the method described in claim 5, it is characterized in that:The token is sent to token server and carries out validity
Before verification, the method further includes:
The service request received is parsed, the token and the service parameter are obtained;
The token is parsed, the service parameter in the token is obtained;
The service parameter parsed in the service request is compared with the service parameter parsed in token, confirms two
Whether person matches;
If matching, sends the token to network side and carry out validation verification;
If mismatching, error message is sent.
7. according to the method described in claim 5, it is characterized in that, the multiple parameters for generating the service request of the reception are also wrapped
Random train is included, the method further includes:
When parsing the service request, confirm whether the random train that parsing obtains has existed;
If in the presence of judging the service request for Replay Attack, sending error message;
If being not present, the random train is stored with preset aging time, it, should be with after beyond the aging time
Machine string is automatically deleted.
8. a kind of Data Encryption Transmission device for anti-replay-attack, described device include:
Token obtains request unit, and the token obtains request unit and obtains request for generating token, and the token is obtained
Request and token request URL is taken to be sent to network side;The token obtain request by including end side UUID, service parameter with
And one or more of service request URL parameters carry out asymmetric encryption acquisition by public key;
Service request unit, the service request unit are used to generate service request according to the token that the network side of reception returns;
The service request unit is used to the service request being sent to network side;The service request by include the token and
One or more of service parameter parameter carries out asymmetric encryption acquisition by public key;
The service request unit is used to receive the handling result to service request that the network side returns.
9. a kind of token authentication device for anti-replay-attack Data Encryption Transmission, described device include:
Token obtains requesting processing, and the token obtains requesting processing and is used to be asked according to the acquisition of the token of reception
Token is sought survival into, and the token is sent to network side;The token obtains request by the UUID including end side, service request
The multiple parameters of URL and service parameter carry out asymmetric encryption generation by public key;
Token processing unit, the token processing unit are used to verify the validity of token, and effective by what is had verified that
The state of token is adjusted to invalid;The token processing unit is used to send the result of the token validation verification.
10. a kind of business processing device for anti-replay-attack Data Encryption Transmission, described device include:
Service request processing unit, the service request processing unit is for passing through private corresponding with the service request public key
The service request is decrypted in key, obtains token;The service request is by including multiple ginsengs of token and service parameter
Number carries out asymmetric encryption acquisition by public key;
The service request processing unit, which is used to the token being sent to network side, carries out validation verification;
Token authentication result treatment unit, the token authentication result treatment unit are used to be effective industry to token authentication result
Business request is handled;The token authentication result treatment unit is used to according to token authentication result be invalid service request
Error message is sent to network side.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810501127.XA CN108737110B (en) | 2018-05-23 | 2018-05-23 | Data encryption transmission method and device for preventing replay attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810501127.XA CN108737110B (en) | 2018-05-23 | 2018-05-23 | Data encryption transmission method and device for preventing replay attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108737110A true CN108737110A (en) | 2018-11-02 |
| CN108737110B CN108737110B (en) | 2021-05-14 |
Family
ID=63935115
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810501127.XA Active CN108737110B (en) | 2018-05-23 | 2018-05-23 | Data encryption transmission method and device for preventing replay attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108737110B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111738623A (en) * | 2020-07-17 | 2020-10-02 | 支付宝(杭州)信息技术有限公司 | Business risk detection method and device |
| CN111934886A (en) * | 2020-07-29 | 2020-11-13 | 天元大数据信用管理有限公司 | RSA-based credit investigation report unified display method |
| CN112040268A (en) * | 2020-08-11 | 2020-12-04 | 福建天泉教育科技有限公司 | Video playing method and storage medium supporting user-defined DRM |
| CN112437046A (en) * | 2020-11-05 | 2021-03-02 | 中国人寿保险股份有限公司 | Communication method, system, electronic device and storage medium for preventing replay attack |
| CN113382011A (en) * | 2021-06-18 | 2021-09-10 | 金陵科技学院 | Method for preventing replay attack by API interface |
| CN115065503A (en) * | 2022-05-11 | 2022-09-16 | 浪潮云信息技术股份公司 | Method for preventing replay attack of API gateway |
| CN115460598A (en) * | 2021-06-07 | 2022-12-09 | 中移物联网有限公司 | Authentication method and generation method of offline password, equipment side and server side |
| CN115065503B (en) * | 2022-05-11 | 2024-05-31 | 浪潮云信息技术股份公司 | Method for preventing replay attack of API gateway |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103107996A (en) * | 2013-02-07 | 2013-05-15 | 北京中视广信科技有限公司 | On-line download method and system of digital certificate and digital certificate issuing platform |
| CN105025470A (en) * | 2014-04-18 | 2015-11-04 | 中国移动通信集团公司 | Service request processing method, system and related device |
| CN105491001A (en) * | 2015-05-14 | 2016-04-13 | 瑞数信息技术(上海)有限公司 | Secure communication method and device |
| US20170099146A1 (en) * | 2014-03-31 | 2017-04-06 | EXILANT Technologies Private Limited | Increased communication security |
| CN106790238A (en) * | 2017-01-19 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | It is a kind of to forge CSRF defence authentication method and device across station request |
-
2018
- 2018-05-23 CN CN201810501127.XA patent/CN108737110B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103107996A (en) * | 2013-02-07 | 2013-05-15 | 北京中视广信科技有限公司 | On-line download method and system of digital certificate and digital certificate issuing platform |
| US20170099146A1 (en) * | 2014-03-31 | 2017-04-06 | EXILANT Technologies Private Limited | Increased communication security |
| CN105025470A (en) * | 2014-04-18 | 2015-11-04 | 中国移动通信集团公司 | Service request processing method, system and related device |
| CN105491001A (en) * | 2015-05-14 | 2016-04-13 | 瑞数信息技术(上海)有限公司 | Secure communication method and device |
| CN106790238A (en) * | 2017-01-19 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | It is a kind of to forge CSRF defence authentication method and device across station request |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111738623A (en) * | 2020-07-17 | 2020-10-02 | 支付宝(杭州)信息技术有限公司 | Business risk detection method and device |
| CN111934886A (en) * | 2020-07-29 | 2020-11-13 | 天元大数据信用管理有限公司 | RSA-based credit investigation report unified display method |
| CN112040268A (en) * | 2020-08-11 | 2020-12-04 | 福建天泉教育科技有限公司 | Video playing method and storage medium supporting user-defined DRM |
| CN112437046A (en) * | 2020-11-05 | 2021-03-02 | 中国人寿保险股份有限公司 | Communication method, system, electronic device and storage medium for preventing replay attack |
| CN112437046B (en) * | 2020-11-05 | 2023-04-28 | 中国人寿保险股份有限公司 | Communication method, system, electronic device and storage medium for preventing replay attack |
| CN115460598A (en) * | 2021-06-07 | 2022-12-09 | 中移物联网有限公司 | Authentication method and generation method of offline password, equipment side and server side |
| CN113382011A (en) * | 2021-06-18 | 2021-09-10 | 金陵科技学院 | Method for preventing replay attack by API interface |
| CN115065503A (en) * | 2022-05-11 | 2022-09-16 | 浪潮云信息技术股份公司 | Method for preventing replay attack of API gateway |
| CN115065503B (en) * | 2022-05-11 | 2024-05-31 | 浪潮云信息技术股份公司 | Method for preventing replay attack of API gateway |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108737110B (en) | 2021-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108737110A (en) | A kind of data encryption and transmission method and device for anti-replay-attack | |
| CN108092982B (en) | Data storage method and system based on alliance chain | |
| CN108737442B (en) | A kind of cryptographic check processing method | |
| EP3443519B1 (en) | System of security using blockchain protocol | |
| US8132020B2 (en) | System and method for user authentication with exposed and hidden keys | |
| CN105491001B (en) | Secure communication method and device | |
| KR101018368B1 (en) | Digital rights management using trusted processing techniques | |
| CN105306473B (en) | A kind of method for preventing injection attacks, client, server and system | |
| CN105516195B (en) | A kind of security certification system and its authentication method based on application platform login | |
| CN104184713B (en) | Terminal identification method, machine identifier register method and corresponding system, equipment | |
| CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
| CN108416589A (en) | Connection method, system and the computer readable storage medium of block chain node | |
| CN104869102B (en) | Authorization method, device and system based on xAuth agreement | |
| CN107864115A (en) | A kind of method that user account login authentication is carried out using portable terminal | |
| CN105933315B (en) | A kind of network service safe communication means, device and system | |
| CN106572105A (en) | URL (Uniform Resource Locator) verification method and device | |
| CN105516143B (en) | Anti-stealing link method, equipment and the system of Streaming Media | |
| CN102158367A (en) | Active anti-plug-in online game system and anti-plug-in method thereof | |
| CN109088865A (en) | Method for authenticating user identity, device, readable storage medium storing program for executing and computer equipment | |
| CN106571951A (en) | Audit log obtaining, generating and verifying method and system and device | |
| CN107122674A (en) | A kind of access method of oracle database applied to O&M auditing system | |
| US9398024B2 (en) | System and method for reliably authenticating an appliance | |
| CN109347875A (en) | Internet of things equipment, platform of internet of things and the method and system for accessing platform of internet of things | |
| CN103595696B (en) | The method and device that a kind of File Ownership proves | |
| CN106453378A (en) | Data authentication method, apparatus and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240410 Address after: Room 305, 306, 307, Building 4, Haizhi Center, No. 2301 Yuhangtang Road, Cangqian Street, Yuhang District, Hangzhou City, Zhejiang Province, 310000 Patentee after: Hangzhou Jiexiang Technology Co.,Ltd. Country or region after: China Address before: 310016 Room 601, building a, Hualian times building, 8 Xinye Road, Jianggan District, Hangzhou City, Zhejiang Province Patentee before: ZHONGHUI ACCOUNTING FIRM (SPECIAL GENERAL PARTNERSHIP) Country or region before: China |
|
| TR01 | Transfer of patent right |