CN109787954B - PHP interface security filtering method and system - Google Patents
PHP interface security filtering method and system Download PDFInfo
- Publication number
- CN109787954B CN109787954B CN201811519459.7A CN201811519459A CN109787954B CN 109787954 B CN109787954 B CN 109787954B CN 201811519459 A CN201811519459 A CN 201811519459A CN 109787954 B CN109787954 B CN 109787954B
- Authority
- CN
- China
- Prior art keywords
- data packet
- server
- user client
- encrypted data
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a PHP interface safety filtering method, which comprises the following steps: installing a user client and acquiring a certificate; initializing an initialization instruction sent by a user client and obtaining a password; encrypting a data packet, wherein the data packet comprises communication data, a signature and an MD5 value, the communication data is encrypted by using a server public key, the signature is encrypted by using a client private key, and the MD5 value is calculated according to a password; decrypting the data packet, verifying the MD5 value, decrypting the signature, and decrypting the read-through data in sequence. The invention also discloses a PHP interface safety filtering system. The invention has better logic processing and safety effect processing, and can relieve brute force interface cracking, packet capturing attack and parameter tampering to a certain extent.
Description
Technical Field
The invention relates to the technical field of APP safety, in particular to a PHP interface safety filtering method and a PHP interface safety filtering system.
Background
Today, the Internet is popular and rapidly evolving, and the challenges of application security are becoming more and more severe. The application attack technology is more and more mature and popular, the attack and damage to the APP are continuously increased, and the APP security risk reaches unprecedented height, such as the risks of illegal client requests, interface parameter incompleteness, easy force breaking and the like.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a PHP interface security filtering method and a PHP interface security filtering system, which have better logic processing and security effect processing and can solve brute force interface cracking, packet capture attack and parameter tampering to a certain extent.
The technical scheme adopted by the invention is as follows:
a PHP interface security filtering method comprises the following steps:
a. receiving a certificate request instruction sent after a user client is installed, generating a certificate adapted to the user client, wherein the certificate comprises a user client public key and a user client private key, storing the user client public key in a server, and sending the server public key and the user client private key to the user client for interface communication;
b. receiving an initialization instruction sent by a user client, sending a unique password to the user client after receiving the initialization instruction, and simultaneously storing the password in a server;
c. receiving an encrypted data packet sent by a user client, wherein the encrypted data packet comprises communication data, a signature and an MD5 value, the communication data is encrypted by using a server public key, the signature is encrypted by using a client private key, and the MD5 value is calculated according to a password;
d. decrypting an encrypted data packet sent by a user client, reading a corresponding password on a server, recalculating an MD5 value according to the password on the server, comparing the MD5 value with an MD5 value in the encrypted data packet, if the MD5 value is not the same as the MD5 value, indicating that the encrypted data packet is abnormal, and discarding the encrypted data packet; if the two are the same, performing step e;
e. decrypting the signature in the encrypted data packet by using the public key of the user client, if the decryption is unsuccessful, indicating that the encrypted data packet is abnormal, and discarding the encrypted data packet; if the decryption is successful, entering the step f;
f. decrypting the communication data in the encrypted data packet by using a server private key, if the decryption is unsuccessful, indicating that the encrypted data packet is abnormal, and discarding the encrypted data packet; if the decryption is successful, the communication data is read.
Preferably, in step c: the MD5 value in the encrypted data packet sent by the user client is calculated and generated by the user client by using a password and a current timestamp;
in step d: the recalculated MD5 value is calculated from the password on the server and the timestamp in the read encrypted packet.
Preferably, the method further comprises the following steps:
setting one-to-one corresponding serial numbers for all the interfaces, and storing the sequence queues of the interfaces on a server;
receiving an operation instruction of a user client, comparing the sequence of a calling interface with a sequence queue on a server, and if the sequence logic of the calling interface is followed, indicating that the data is legal data; if the sequence logic of the calling interface is not followed, the data is represented as disguised data.
A PHP interface security filter system comprising:
a client module: the system comprises a server, a user client, a data packet and a data packet, wherein the server is used for installing the user client, communicating with the server through an interface, acquiring a server public key, a user client private key and a unique password from the server, and encrypting the data packet sent to the server;
a server: the system comprises a client module, a sequence queue and a server public key, a user client private key and a unique password, wherein the server public key, the user client private key and the unique password are sent to the client module, a data packet sent by the client module is verified and decrypted, and the operation of verifying a client by the sequence queue is called;
a sequence module: the method is used for configuring one-to-one corresponding serial numbers for all communication interfaces and sending the sequence queues of the interfaces to a server.
Preferably, the encrypted data packet sent by the server in the client module comprises communication data, a signature and an MD5 value, wherein the communication data is encrypted by using a server public key, the signature is encrypted by using a client private key, and the MD5 value is calculated according to a password and a timestamp; when the server verifies the data packet, the corresponding password on the server is read, the MD5 value is calculated again according to the password on the server and the read data packet time stamp, and the MD5 value is compared with the MD5 value in the encrypted data packet for verification.
The invention has the beneficial effects that:
1. the validity is verified using a dynamic password.
2. The request packet is encrypted using RSA signatures and dynamic resource certificates to determine the accuracy and integrity of the parameters.
3. And verifying the user use flow and the frequency processing by using the logic flow interface ID.
Drawings
FIG. 1 is a schematic flow chart of example 1 of the present invention;
FIG. 2 is a schematic structural diagram of example 2 of the present invention;
reference numerals: 1. client module, 2, server, 3, sequence module.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Examples
As shown in fig. 1, a PHP interface security filtering method includes the following steps:
a. receiving a certificate request instruction sent after a user client is installed, generating a certificate adapted to the user client, wherein the certificate comprises a user client public key and a user client private key, storing the user client public key in a server, and sending the server public key and the user client private key to the user client for interface communication;
b. receiving an initialization instruction sent by a user client, sending a unique password to the user client after receiving the initialization instruction, and simultaneously storing the password in a server;
c. receiving an encrypted data packet sent by a user client, wherein the encrypted data packet comprises communication data, a signature and an MD5 value, the communication data is encrypted by using a server public key, the signature is encrypted by using a client private key, and the MD5 value is calculated according to a password;
d. decrypting an encrypted data packet sent by a user client, reading a corresponding password on a server, recalculating an MD5 value according to the password on the server, comparing the MD5 value with an MD5 value in the encrypted data packet, if the MD5 value is not the same as the MD5 value, indicating that the encrypted data packet is abnormal, and discarding the encrypted data packet; if the two are the same, performing step e;
e. decrypting the signature in the encrypted data packet by using the public key of the user client, if the decryption is unsuccessful, indicating that the encrypted data packet is abnormal, and discarding the encrypted data packet; if the decryption is successful, entering the step f;
f. decrypting the communication data in the encrypted data packet by using a server private key, if the decryption is unsuccessful, indicating that the encrypted data packet is abnormal, and discarding the encrypted data packet; if the decryption is successful, the communication data is read.
Preferably, in step c: the MD5 value in the encrypted data packet sent by the user client is calculated and generated by the user client by using a password and a current timestamp;
in step d: the recalculated MD5 value is calculated from the password on the server and the timestamp in the read encrypted packet.
Preferably, the method further comprises the following steps:
setting one-to-one corresponding serial numbers for all the interfaces, and storing the sequence queues of the interfaces on a server;
receiving an operation instruction of a user client, comparing the sequence of a calling interface with a sequence queue on a server, and if the sequence logic of the calling interface is followed, indicating that the data is legal data; if the sequence logic of the calling interface is not followed, the data is represented as disguised data.
For example, if the user a does not register or log in, but uses the pan-pan function, it can be determined that the information is a masquerading transmission.
The PHP interface security filtering method of the embodiment combines multiple technologies such as user client private key acquisition, an MD5 algorithm of unique password and password combined with timestamp, and interface sequence, and compared with the conventional technology, has better logic processing and security effect processing, and can solve brute force interface cracking, packet capture attack and parameter tampering to a certain extent.
Example 2
A PHP interface security filter system comprising:
the client module 1: the system comprises a server, a user client, a data packet and a data packet, wherein the server is used for installing the user client, communicating with the server through an interface, acquiring a server public key, a user client private key and a unique password from the server, and encrypting the data packet sent to the server;
the server 2: the system comprises a client module, a sequence queue and a server public key, a user client private key and a unique password, wherein the server public key, the user client private key and the unique password are sent to the client module, a data packet sent by the client module is verified and decrypted, and the operation of verifying a client by the sequence queue is called;
a sequence module 3: the method is used for configuring one-to-one corresponding serial numbers for all communication interfaces and sending the sequence queues of the interfaces to a server.
Preferably, the encrypted data packet sent by the server in the client module comprises communication data, a signature and an MD5 value, wherein the communication data is encrypted by using a server public key, the signature is encrypted by using a client private key, and the MD5 value is calculated according to a password and a timestamp; when the server verifies the data packet, reading the corresponding password on the server, recalculating the MD5 value again according to the password on the server and the read data packet timestamp, comparing and verifying the MD5 value with the MD5 value in the encrypted data packet, if the verification is passed, decrypting the signature in the encrypted data packet by using the public key of the user client, if the decryption is successful, decrypting the communication data in the encrypted data packet by using the private key of the server, and if the decryption is successful again, indicating that the data packet is a legal data packet, and reading the communication data.
Meanwhile, when receiving an interface communication data packet each time, the server verifies the interface serial number, and only if the sequence of calling the interface by the user client accords with the logic, the data is legal, for example, the user A does not register or log in, but uses the shaking-shaking function, and the information can be judged to be transmitted in a disguised manner.
The above-mentioned embodiments only express the specific embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention.
Claims (2)
1. A PHP interface security filtering method is characterized by comprising the following steps:
a. receiving a certificate request instruction sent after a user client is installed, generating a certificate adapted to the user client, wherein the certificate comprises a user client public key and a user client private key, storing the user client public key in a server, and sending the server public key and the user client private key to the user client for interface communication;
b. receiving an initialization instruction sent by a user client, sending a unique password to the user client after receiving the initialization instruction, and simultaneously storing the password in a server;
c. receiving an encrypted data packet sent by a user client, wherein the encrypted data packet comprises communication data, a signature and an MD5 value, the communication data is encrypted by using a server public key, the signature is encrypted by using a client private key, and the MD5 value is calculated according to a password;
the MD5 value in the encrypted data packet sent by the user client is calculated and generated by the user client by using a password and a current timestamp;
d. decrypting an encrypted data packet sent by a user client, reading a corresponding password on a server, recalculating an MD5 value according to the password on the server, comparing the MD5 value with an MD5 value in the encrypted data packet, if the MD5 value is not the same as the MD5 value, indicating that the encrypted data packet is abnormal, and discarding the encrypted data packet; if the two are the same, performing step e;
the recalculated MD5 value is generated by calculation of a password on the server and a time stamp in the read encrypted data packet;
e. decrypting the signature in the encrypted data packet by using the public key of the user client, if the decryption is unsuccessful, indicating that the encrypted data packet is abnormal, and discarding the encrypted data packet; if the decryption is successful, entering the step f;
f. decrypting the communication data in the encrypted data packet by using a server private key, if the decryption is unsuccessful, indicating that the encrypted data packet is abnormal, and discarding the encrypted data packet; if the decryption is successful, reading the communication data;
setting one-to-one corresponding serial numbers for all the interfaces, and storing the sequence queues of the interfaces on a server;
receiving an operation instruction of a user client, comparing the sequence of a calling interface with a sequence queue on a server, and if the sequence logic of the calling interface is followed, indicating that the data is legal data; if the sequence logic of the calling interface is not followed, the data is represented as disguised data.
2. A PHP interface security filter system, comprising:
the client module is used for sending a certificate request instruction to the server after the user client is installed;
sending an initialization instruction;
the system comprises a server, a user client and a server, wherein the server is used for receiving a server public key and a user client private key sent by the server and communicating with the server through an interface;
receiving the unique password and sending an encrypted data packet to the server, wherein the encrypted data packet comprises communication data, a signature and an MD5 value, and the MD5 value in the encrypted data packet is generated by calculation of the password and the current timestamp of the user client; the communication data is encrypted by using a server public key, and the signature is encrypted by using a client private key;
the server is used for receiving the certificate request instruction, generating an adaptive certificate, storing the public key of the user client and sending the public key of the server and the private key of the user client to the client module, wherein the certificate comprises the public key of the user client and the private key of the user client;
receiving an initialization instruction, sending a unique password to a client module and storing the unique password;
receiving the encrypted data packet, decrypting the encrypted data packet sent by the user client module, reading a corresponding password on the server, recalculating an MD5 value according to the password on the server, and comparing the MD5 value with an MD5 value in the encrypted data packet, wherein the MD5 value in the encrypted data packet is generated by the user client module through calculation by using the password and a current timestamp; the MD5 value is calculated again, and is generated by calculation of a password on the server and a time stamp in the read encrypted data packet; if not, indicating that the encrypted data packet is abnormal, and discarding the encrypted data packet; if the encrypted data packet is the same as the encrypted data packet, decrypting the signature in the encrypted data packet by using the public key of the user client, if the decryption is unsuccessful, indicating that the encrypted data packet is abnormal, and discarding the encrypted data packet; if the decryption is successful, the server private key is used for decrypting the communication data in the encrypted data packet, if the decryption is unsuccessful, the encrypted data packet is abnormal, and the encrypted data packet is discarded; if the decryption is successful, reading the communication data;
receiving and storing an interface sequence queue;
the system comprises a sequence queue, a data processing module and a data processing module, wherein the sequence queue is used for receiving an operation instruction of a user client and comparing the sequence of a calling interface with the sequence queue on a server, and if the sequence logic of the calling interface is followed, the data is represented as legal data; if the sequence logic of the calling interface is not followed, the data is represented as disguised data;
and the sequence module is used for configuring one-to-one corresponding serial numbers for all the communication interfaces and sending the sequence queues of the interfaces to the server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811519459.7A CN109787954B (en) | 2018-12-12 | 2018-12-12 | PHP interface security filtering method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811519459.7A CN109787954B (en) | 2018-12-12 | 2018-12-12 | PHP interface security filtering method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109787954A CN109787954A (en) | 2019-05-21 |
CN109787954B true CN109787954B (en) | 2021-08-10 |
Family
ID=66495891
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811519459.7A Active CN109787954B (en) | 2018-12-12 | 2018-12-12 | PHP interface security filtering method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109787954B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112039852B (en) * | 2020-08-07 | 2022-08-05 | 武汉斗鱼鱼乐网络科技有限公司 | Method, storage medium, electronic device and system for protecting core interface |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103001976A (en) * | 2012-12-28 | 2013-03-27 | 中国科学院计算机网络信息中心 | Safe network information transmission method |
CN103051453A (en) * | 2012-12-17 | 2013-04-17 | 连连银通电子支付有限公司 | Digital certificate-based mobile terminal network security trading system and digital certificate-based mobile terminal network security trading method |
CN104348614A (en) * | 2013-07-24 | 2015-02-11 | 腾讯科技(深圳)有限公司 | Method and device for verifying identity validity and server |
CN107809332A (en) * | 2017-11-10 | 2018-03-16 | 中国民生银行股份有限公司 | Compound interface configures and compound interface call method, device |
CN108521333A (en) * | 2018-04-27 | 2018-09-11 | 飞天诚信科技股份有限公司 | A kind of login method and system carrying out offline authentication based on dynamic password |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8256007B2 (en) * | 2008-03-25 | 2012-08-28 | Northrop Grumman Systems Corporation | Data security management system and methods |
-
2018
- 2018-12-12 CN CN201811519459.7A patent/CN109787954B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103051453A (en) * | 2012-12-17 | 2013-04-17 | 连连银通电子支付有限公司 | Digital certificate-based mobile terminal network security trading system and digital certificate-based mobile terminal network security trading method |
CN103001976A (en) * | 2012-12-28 | 2013-03-27 | 中国科学院计算机网络信息中心 | Safe network information transmission method |
CN104348614A (en) * | 2013-07-24 | 2015-02-11 | 腾讯科技(深圳)有限公司 | Method and device for verifying identity validity and server |
CN107809332A (en) * | 2017-11-10 | 2018-03-16 | 中国民生银行股份有限公司 | Compound interface configures and compound interface call method, device |
CN108521333A (en) * | 2018-04-27 | 2018-09-11 | 飞天诚信科技股份有限公司 | A kind of login method and system carrying out offline authentication based on dynamic password |
Also Published As
Publication number | Publication date |
---|---|
CN109787954A (en) | 2019-05-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108092776B (en) | System based on identity authentication server and identity authentication token | |
CN109040067B (en) | Physical unclonable technology PUF-based user authentication device and authentication method | |
CN106612180B (en) | Method and device for realizing session identification synchronization | |
EP3324572B1 (en) | Information transmission method and mobile device | |
CN110149209B (en) | Internet of things equipment and method and device for improving data transmission safety of Internet of things equipment | |
US9722782B2 (en) | Information processing method, recording medium, and information processing apparatus | |
KR101508497B1 (en) | Data certification and acquisition method for vehicle | |
CN107317677B (en) | Secret key storage and equipment identity authentication method and device | |
CN109194625B (en) | Client application protection method and device based on cloud server and storage medium | |
CN109921894B (en) | Data transmission encryption method and device, storage medium and server | |
CN106452764B (en) | Method for automatically updating identification private key and password system | |
CN105207782A (en) | Identity verification method based on restful framework | |
KR101739203B1 (en) | Password-based user authentication method using one-time private key-based digital signature and homomorphic encryption | |
CN111641630B (en) | Encryption transmission method and device, electronic equipment and storage medium | |
US20190379653A1 (en) | Accelerated communication attack detection | |
CN103701787A (en) | User name password authentication method implemented on basis of public key algorithm | |
EP4300338A1 (en) | Computer file security encryption method, computer file security decryption method, and readable storage medium | |
CN105099705A (en) | Safety communication method and system based on USB protocol | |
CN114793184B (en) | Security chip communication method and device based on third-party key management node | |
CN111526007A (en) | Random number generation method and system | |
CN109787954B (en) | PHP interface security filtering method and system | |
CN109086588B (en) | Authentication method and authentication equipment | |
CN112600831B (en) | Network client identity authentication system and method | |
CN107666420B (en) | Method for production control and identity authentication of intelligent home gateway | |
CN114374522B (en) | Trusted device authentication method and device, computer device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |