CN110084045A - A kind of cross-domain authentication specifications JWT optimization method - Google Patents
A kind of cross-domain authentication specifications JWT optimization method Download PDFInfo
- Publication number
- CN110084045A CN110084045A CN201910340911.1A CN201910340911A CN110084045A CN 110084045 A CN110084045 A CN 110084045A CN 201910340911 A CN201910340911 A CN 201910340911A CN 110084045 A CN110084045 A CN 110084045A
- Authority
- CN
- China
- Prior art keywords
- jwt
- cross
- optimization method
- domain authentication
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
Cross-domain authentication specifications JWT optimization method disclosed by the invention, it is related to technical field of network security, by being implanted into life cycle lifetime parameter index in the JWT of server end, the life cycle that JWT is gone here and there is by stringent control, reduce risk of the system by malicious attack, improves the security performance of system.
Description
Technical field
The present invention relates to technical field of network security, and in particular to a kind of cross-domain authentication specifications JWT optimization method.
Background technique
Cross-domain authentication specifications (JSON Web Token, JWT) are a kind of for transmitting the succinct of security information between both sides
, the declarative declarative specifications of URL safety.Standard (RFC 7519) JWT open as one, define it is a kind of succinct,
Self-contained method is for transmitting information safe in the form of Json object between communicating pair.Because digital signature is deposited
Be in, these information it is believable, hmac algorithm or RSA Algorithm can be used and sign to JWT string.
Conventional JWT usage mode at present is all to generate JWT string in server end, returns to client by server end
Persistence saves, this JWT string and server communication can be carried in client subsequent request and is verified.
Existing JWT includes parameter: current JWT string promulgates that the time cannot be later than some and refer to by which label originator (issuer)
Fix time (exp), cannot require JWT effective time range are as follows: nbf < current time earlier than some specified time (nbf)
current_time<exp。
This period is specified by generating the string side JWT, and after the code key for generating JWT string is stolen, stealer be can use
The controlling feature of nbf and exp parameter index, this period is arranged it is very long, cause JWT go here and there life cycle it is uncontrolled
System, so that the malicious attack to system becomes easy.It, can be under use always because attacker only needs to generate JWT string
It goes.
Summary of the invention
To solve the deficiencies in the prior art, the embodiment of the invention provides a kind of cross-domain authentication specifications JWT optimization methods, should
Method includes:
Life cycle lifetime parameter index is implanted into the JWT of server end, wherein the value of the lifetime is solid
It is fixed.
Preferably, the value of the lifetime is 90 seconds.
Cross-domain authentication specifications JWT optimization method provided in an embodiment of the present invention has the advantages that
Due to implanting lifetime parameter index in JWT, the life cycle that JWT is gone here and there is by stringent control
System, reduces risk of the system by malicious attack, improves the security performance of system.
Detailed description of the invention
Fig. 1 is the JWT string verification process signal using cross-domain authentication specifications JWT optimization method provided in an embodiment of the present invention
Figure.
Specific embodiment
Below in conjunction with detailed description of the invention by specific embodiments.
Cross-domain authentication specifications JWT optimization method provided in an embodiment of the present invention the following steps are included:
S101 is implanted into life cycle lifetime parameter index, wherein the value of lifetime in the JWT of server end
It is fixed.
Particularly, cross-domain authentication specifications JWT optimization method provided in an embodiment of the present invention is directed to same issuer and issues
The JWT of cloth goes here and there, for the different issuer JWT promulgated go here and there corresponding lifetime value it is also not identical.
Optionally, the value of lifetime is 90 seconds, or the other times section such as 1 hour, 2 hours.
Wherein, as shown in Figure 1, the cross-domain authentication specifications JWT optimization life that server authentication provides according to embodiments of the present invention
At the whether expired process of JWT string it is as follows:
The JWT string that client is sent is parsed, obtains load (payload) data, load data nbf and exp parameter refer to
Scale value;
Current time current_time is verified whether between nbf and exp, if so, further verifying exp-nbf's
Whether value is more than the value of lifetime, if so, determining that JWT string is expired;
If the value that exp subtracts nbf is less than the value of lifetime, it is determined that JWT string is effective.
As a specific embodiment, the value of nbf is generally first 5 seconds of current time, when the value of exp is generally current
Between latter 60 seconds.
Particularly, cross-domain authentication specifications JWT optimization method provided in an embodiment of the present invention is suitable for application in dynamic generation JWT
Application scenarios in, i.e. the JWT that sends every time of client goes here and there different situations.
Cross-domain authentication specifications JWT optimization method provided in an embodiment of the present invention is given birth to by being implanted into the JWT of server end
Period lifetime parameter index is ordered, the life cycle that JWT is gone here and there is reduced system by malice by stringent control
The risk of attack improves the security performance of system.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, reference can be made to the related descriptions of other embodiments.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment
" first ", " second " etc. be and not represent the superiority and inferiority of each embodiment for distinguishing each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In addition, memory may include the non-volatile memory in computer-readable medium, random access memory
(RAM) and/or the forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM), memory includes extremely
A few storage chip.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable Jie
The example of matter.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices
Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates
Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability
It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap
Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including element
There is also other identical elements in process, method, commodity or equipment.
It will be understood by those skilled in the art that embodiments herein can provide as method, system or computer program product.
Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the application
Form.It is deposited moreover, the application can be used to can be used in the computer that one or more wherein includes computer usable program code
The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
The above is only embodiments herein, are not intended to limit this application.To those skilled in the art,
Various changes and changes are possible in this application.It is all within the spirit and principles of the present application made by any modification, equivalent replacement,
Improve etc., it should be included within the scope of the claims of this application.
Claims (2)
1. a kind of cross-domain authentication specifications JWT optimization method characterized by comprising
Life cycle lifetime parameter index is implanted into the JWT of server end, wherein the value of the lifetime is fixed.
2. cross-domain authentication specifications JWT optimization method according to claim 1, which is characterized in that the value of the lifetime
It is 90 seconds.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910340911.1A CN110084045A (en) | 2019-04-25 | 2019-04-25 | A kind of cross-domain authentication specifications JWT optimization method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910340911.1A CN110084045A (en) | 2019-04-25 | 2019-04-25 | A kind of cross-domain authentication specifications JWT optimization method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110084045A true CN110084045A (en) | 2019-08-02 |
Family
ID=67416877
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910340911.1A Pending CN110084045A (en) | 2019-04-25 | 2019-04-25 | A kind of cross-domain authentication specifications JWT optimization method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110084045A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9801064B2 (en) * | 2015-09-29 | 2017-10-24 | Morphotrust Usa, Llc | System and method for using a symbol as instruction for a target system to request identity information and authentication from a mobile identity |
| CN108737436A (en) * | 2018-05-31 | 2018-11-02 | 西安电子科技大学 | Based on the cross-domain services device identity identifying method for trusting alliance's block chain |
| CN109246071A (en) * | 2018-06-28 | 2019-01-18 | 平安科技(深圳)有限公司 | Method for processing business, calls management system and transaction processing system at operation system |
-
2019
- 2019-04-25 CN CN201910340911.1A patent/CN110084045A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9801064B2 (en) * | 2015-09-29 | 2017-10-24 | Morphotrust Usa, Llc | System and method for using a symbol as instruction for a target system to request identity information and authentication from a mobile identity |
| CN108737436A (en) * | 2018-05-31 | 2018-11-02 | 西安电子科技大学 | Based on the cross-domain services device identity identifying method for trusting alliance's block chain |
| CN109246071A (en) * | 2018-06-28 | 2019-01-18 | 平安科技(深圳)有限公司 | Method for processing business, calls management system and transaction processing system at operation system |
Non-Patent Citations (1)
| Title |
|---|
| RYOMA: "Kong——JWT文档", 《HTTPS://BLOG.RYOMA.TOP/POSTS/KONG_JWT/》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107196989B (en) | A kind of processing method and processing device of service request | |
| US10389727B2 (en) | Multi-level security enforcement utilizing data typing | |
| CN113438068B (en) | Method and device for realizing dynamic encryption based on block height | |
| CN110046023B (en) | Data processing method and system based on intelligent contract of block chain | |
| US20180225611A1 (en) | Controlled resource provisioning in distributed computing environments | |
| KR20190001546A (en) | Using blockchain to track information for devices on a network | |
| CN110245490B (en) | Conditional receipt storage method and node combining code labeling and type dimension | |
| CN109784058A (en) | Version strong consistency method of calibration, client, server and storage medium | |
| CN113240519A (en) | Intelligent contract management method and device based on block chain and electronic equipment | |
| US20200193428A1 (en) | Blockchain-based payment withholding and agreement signing method, apparatus, and electronic device | |
| CN109933404B (en) | Encoding and decoding method and system based on block chain intelligent contract | |
| CN110245942B (en) | Receipt storage method and node combining user type and judgment condition | |
| CN110197541A (en) | A kind of shared automobile management method based on block chain | |
| CN108055132A (en) | The method, apparatus and equipment of a kind of service authorization | |
| CN110276610B (en) | Method and device for realizing dynamic encryption based on transaction offset | |
| CN109086578A (en) | A kind of method that soft ware authorization uses, equipment and storage medium | |
| CN106230776A (en) | The safety protecting method of cloud computing data and device | |
| CN109194483A (en) | Data verification method based on block chain | |
| Verma et al. | Application of truffle suite in a blockchain environment | |
| CN110263547B (en) | Method and device for realizing dynamic encryption based on contract state modification sequence | |
| CN111669434A (en) | Method, system, device and equipment for establishing communication group | |
| CN109614159A (en) | Plan target distribution, introduction method and device | |
| CN108416224A (en) | A kind of data encryption/decryption method and device | |
| CN109493071A (en) | Auth method based on block chain | |
| CN109639672A (en) | The method and system for preventing Replay Attack based on JWT data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190802 |