CN102054132A - Security component of database system - Google Patents
Security component of database system Download PDFInfo
- Publication number
- CN102054132A CN102054132A CN2009101977573A CN200910197757A CN102054132A CN 102054132 A CN102054132 A CN 102054132A CN 2009101977573 A CN2009101977573 A CN 2009101977573A CN 200910197757 A CN200910197757 A CN 200910197757A CN 102054132 A CN102054132 A CN 102054132A
- Authority
- CN
- China
- Prior art keywords
- module
- code
- data
- security component
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a security component of a database system. The security component comprises a log-on security component and a data processing security component, wherein the log-on security component comprises an interface generation module, a security code verification module, a password verification module and a window identifier verification module; and the data processing security component comprises a data interaction module, a format verification module, a code replacement module, a code encoding module and an error page generation module. By utilizing the technical scheme provided by the invention, the problems in the prior art can be effectively solved, sufficient protection can be provided for brute force attack, the storage mode and the security of the authority control can be improved, error pages can be prevented from releasing excessive sensitive information, and the threats caused by script injection and script attack can be prevented.
Description
Technical field
The present invention relates to the safety technique of Database Systems, relate in particular to the security component of Database Systems.
Background technology
Along with the universal and Web application and development of Internet in all trades and professions, the website especially safety issue of site databases system more and more is subject to people's attention.When using ASP.NET developing web or enterprise's project system, security has become the key issue of overriding concern.
For the Database Systems based on ASP.NET exploitation, main security threat is from following several aspects:
1) rough power is attacked.If do not take system's measure to prevent the undying trial log database of malicious user, system just is subjected to the attack that password is separated in countless guessing easily so.It is a kind of that rough power that Here it is is attacked.This attack mainly is program of design, sends the password that a lot of requests have nothing in common with each other with test with it to destination application.The typical characteristic of these programs is based on the common password table.Rough power password cracking also has another kind of form, promptly extracts the password through encrypting earlier from the file of depositing password or database.Although powerful add secret emissary hacker and can not directly obtain password, it still can carry out rough power guesses and separates, and attempts seeking having the password of encrypted result in opposite directions.Rough power cracks the threat that the causes authority that the user the had decision by the password that is cracked.Should select the difficult password that is cracked modestly for use even have the user of administrator right. but the user account login system of a low rights also may allow the assailant have an opportunity to take advantage of.
2) unreliable ground storage mode.Most of database all must be handled sensitive data.Sensitive data generally comprises personal information, password and configuration data etc.These " secrets " are transmitted with multiple form storage and by various protocols.They will become the target that hacker's emphasis is attacked.
3) to user behavior without limits.To the not restriction fully of authorized user covenant of works bundle.The assailant can use these defectives to visit other accounts, checks sensitive document, or uses unwarranted function.
4) include the wrong page of detailed error message
The developer pays close attention to the realization function, and the assailant pays close attention to error condition.By import various unintended informations to Database Systems, the assailant attempts causing the misdeed of some type, often can comprise a lot of detailed error messages in the page that reports an error of these misdeeds, the assailant obtains more internal work information about Database Systems thus, and finally helps them to find security breaches.For example, ASP.NET occurs untreated when wrong at every turn, will generate the page that shows detailed error message.The page comprises highstrung data.Although these information are very useful on stream, the developer definitely can not, do not wish in final products, these information to be exposed to client yet.
5) script injects and the script attack
All in essence script injects and cross-site scripting attack all is that defective by input validation causes.If verify all data from non-trusted source, these then all attacks all are preventible.
Summary of the invention
At above-mentioned problem, the present invention proposes a kind of security component of Database Systems.
The security component of these Database Systems comprises login security component and data processing security component, wherein:
The login security component comprises interface generation module, identifying code authentication module, password authentication module and forms status identifier authentication module, wherein,
The interface generation module on login page, provide user name input interface, password input interface,
Identifying code input interface and forms status identifier input interface;
The identifying code authentication module obtains identifying code by the identifying code input interface, compares with the identifying code of setting, and both unanimities are then carried out follow-up step, both inconsistent then refusal logins;
The code data interface obtains password by the code data interface, carries out cryptographic calculation for password, and result who obtains and the password through cryptographic calculation that is kept in the database are compared, and both unanimities are then carried out follow-up step, both inconsistent then refusal logins;
Forms status identifier authentication module obtains the forms status identifier by forms status identifier input interface, compares with the forms status identifier copy that is kept in the database, and both unanimities then allow login, both inconsistent then refusal logins;
The data processing security component comprises data interaction module, format verification module, code replacement module, code coding module and wrong page generation module, wherein,
The data interaction module receives the input data, and produces response data according to the result for deal with data;
The form of the described input data of format verification module verification produces by signal for the input data that meet format specification, produces the refusal signal and offers wrong page generation module for the input data that do not meet format specification;
Code is replaced module and is scanned described input data, the code of stipulating is replaced to replace symbol;
The code coding module is connected to code and replaces module, and the data data of replacing resume module through code are carried out code coding, can run time version coding back input data offer described
Database Systems can not run time version coded data data offer wrong page generation module;
Mistake page generation module is connected to format verification module and code coding module, produces system
One the wrong page offers the data interaction module as response data.
In one embodiment, identifying code is numeral or the character that shows with the picture form.
In one embodiment, be the password that carries out cryptographic calculation through the md5 encryption algorithm through the password of cryptographic calculation, the code data interface obtains password by the code data interface and also carries out cryptographic calculation by the md5 encryption algorithm.
In one embodiment, the code code of replacing the regulation that module replaces comprise " { ", " } ", " [", "] " and "; ", replace symbol and be the space.
Adopt technical scheme of the present invention; can be effectively at the above-mentioned problems in the prior art; provide sufficient protection at rough power attack; improve the security of storage mode and control of authority; elimination is revealed too much sensitive information at the wrong page, and prevents that script from injecting and script is attacked the threat that brings.
Description of drawings
Fig. 1 has disclosed the security component according to the Database Systems of Database Systems of the present invention.
Embodiment
With reference to shown in Figure 1, the security component of Database Systems of the present invention comprises login security component 10 and data processing security component 20.
Interface generation module 101 provides user name input interface, password input interface, identifying code input interface and forms status identifier input interface on login page.
Identifying code authentication module 102 obtains identifying code by the identifying code input interface, compares with the identifying code of setting, and both unanimities are then carried out follow-up step, both inconsistent then refusal logins.
Forms status identifier authentication module 104 obtains the forms status identifier by forms status identifier input interface, compares with the forms status identifier copy that is kept in the database, and both unanimities then allow login, both inconsistent then refusal logins.
Identifying code authentication module 102 mainly is to attack in order to resist rough power.Rough power is attacked and is meant the thousands of password of the incompatible attack of a large amount of cipher code set that uses inferiorly.Identifying code at server end generates a string random number or character exactly, and be kept in the internal memory, then random number or character is write in the picture that designs, and sends to browser, and is shown to the user with the picture form.By user's naked eyes identification verification code information wherein, submit at last by the identifying code input interface.
The proof procedure of identifying code is the identifying code of user in identifying code input interface input identification, the server end of database obtains user's submission information, whether the character of judging the preservation of identifying code character and server end is identical, if it is identical, then judge by checking, otherwise the register of prompting error message and refusing user's.
In one embodiment, identifying code authentication module 102 can be realized by following code:
Create new forms.Called after " checkimage.aspx " is opened " checkimage.aspx.cs " page, writes the method GenerateCheckCode () that generates random character, and main code is as follows:
Write and generate the method CreateCheckCodeImage of picture (str) immediately, the str parameter is exactly the identifying code that will draw, and main code is as follows:
Show identifying code in " checkimage.aspx " page or leaf, code is as follows:
Use identifying code.Open " Login.aspx " login page, add " Image " control and " Textbox " control respectively.Show identifying code by " ImageUrl " property value of specifying " Image " control for " checkimage.aspx " page or leaf.Code is as follows:
<asp:Image?ID=″Image2″runat=″server″ImageUrl=″~/checkimage1.aspx″/>
The onclick incident of writing " Image " control realizes refresh function.Code is as follows:
<asp:Image ID=″Image2″ runat=″server″ onclick=″this.src =′checkimage1.aspx?flag=′+Math.random()″ImageUrl=″~/checkimage1.aspx″/>
In the click event of " login " button in " Login.aspx " page or leaf, whether the identifying code of checking user input is correct.Main code is as follows:
Usually user's password can be stored in the database.If attack database is stolen user's password, safeness of Data Bank can be subjected to serious threat so.Addressing this problem best bet is, not with the password storage of user's reality in database, but the password of storage after through the md5 encryption algorithm for encryption.When needs are verified the user,, the Crypted password in it and the system database is compared get final product then as long as the password of user input is encrypted again.
The full name of MD5 is Message-Digest Algorithm 5 (md5-challenge), it is a kind of irreversible cryptographic algorithm, be one of the most firm cryptographic algorithm at present, still do not have can inverse operation program be developed, its corresponding any character string can be encrypted to the code of one section unique regular length.
The md5 encryption algorithm has following advantage:
At first, it is irreversible, does not have the method for system can know what the original literal of MD5 sign indicating number is.
Secondly, this yard has the discreteness of height, do not have rule to follow.Even the little by little variation of prime information will cause the great variety of MD5, we can say that also the MD5 sign indicating number of generation is uncertain.
At last and since this sign indicating number have 128 so long, so it is very low to have arbitrarily the possibility of identical MD5 sign indicating number between the information, be considered to impossible usually.
In one embodiment, identifying code authentication module 102 is achieved as follows:
Open the interpolation User Page, in the click event of " interpolation " button, write and use MD5 algorithm for encryption user cipher and store code in the database into.
The class of a newly-built RBAC by name, self-defined Login in class (string name, string password) method, the method are used for the password of encrypting user input, input password after will encrypting then and the Crypted password in the system database compare, and judge whether the user exists.Main code is as follows:
In the click event of " login " button of login page, call Login (string name, the string password) method in the RBAC class, realize the encrypted login function.Main code is as follows:
Because the MD5 algorithm is irreversible, when needs are verified the user, just as the encrypted login function that realizes above,, the password of the encryption in it and the system database compared get final product then as long as the password that the user is imported encrypts again.
Forms status identifier authentication module 104 improves at the control of authority unsafe problems.According to embodiments of the invention, in database, preserve forms status identifier copy, by forms status identifier input interface obtain a forms status identifier and with forms status identifier copy relatively, both unanimities then allow login, both inconsistent then refusal logins.
Forms status identifier authentication module 104 can be achieved as follows:
Newly-built two table Slogin in Database Systems, Srole.Slogin stores username and password, Srole storage user name and forms status identifier copy.User's forms status identifier is divided into some kinds.
Create a forms authentication log in page of supporting the authentication of forms status identifier.Code is as follows:
Create the Global.asax file, add the function of Application_AuthenticateRequest by name in the Global.asax.cs file, code is as follows:
Forms status identifier copy is not store as the part of cookie, nor can, because the user can revise cookie.In fact, FormsAuthentication encrypts forms status identifier copy with machine code (machine key is usually in machine.config).By using UserData storage user's forms status identifier copy.In case forms status identifier copy is created, it can be added to (being HttpContext) in the current context.
Web.config file under the web application root directory of configuration database system, general<system.web〉under the node<authentication mode=" Windows " 〉, make into<authentication mode=" Forms "〉and, as follows
Data processing security component 20 comprises data interaction module 201, format verification module 202, code replacement module 203, code coding module 204 and wrong page generation module 205.
Data interaction module 201 receives the input data, and produce response data according to result for deal with data, response data can comprise: by obtaining result after the data base handling system processing, the result of this processing is as response data after normal process for the input data; The input data are rejected then and produce the wrong page as response data by wrong page generation module 205.
The form of format verification module 202 checking input data produces by signal for the input data that meet format specification, produces the refusal signal and offers wrong page generation module 205 for the input data that do not meet format specification.In one embodiment, format verification module 202 is achieved as follows:
Realize by regular expression and RegularExpression Validator control:
Verify user's input when RegularExpression Validator control and do not meet the regular expression regulation, will stop user's input, and inform user error information by ErrorMessage.
Code is replaced module 203 scanning input data, the code of stipulating is replaced to replace symbol.When receiving the incorrect input from non-trusted source, might not refuse this input.In this case, the screening input is a best bet.For example, can filter out whereby such as " { ", " } ", " [", "] " and “ ﹠amp; " some such special characters.Realize screening input function, can use the Replace method of String object.For example in one embodiment, code replacement module 203 is achieved as follows:
Top code has been eliminated " { " and " } " character in user's input, uses the space instead and replaces.For among his embodiment, can use the space to replace " { ", " } ", " [", "] " or “ ﹠amp; ".
myGStudent.std_hobby=Server.HtmlEncode(TextBox4.Text);
The character of present any input TextBox4 can not be performed, but is treated to a character word string that can not be performed.
Mistake page generation module 205 is connected to format verification module 202 and code coding module 204, produces the unified wrong page and offers data interaction module 201, as the output response page.Use the unified wrong page to substitute original detailed error message tabulation, can avoid defective by the indoor design of wrong page exposure system.In one embodiment, the unified wrong page is achieved as follows:
Create the Global.asax file, in Application_Error () function, add the code that needs, as follows:
Code Response.Redirect ("~/error.aspx ") has specified system to occur untreatedly will jumping to specified page " error.aspx " when wrong.
Create self-defined faulty page " error.aspx ", in the page, show error message.
Implementation procedure is also uncomplicated.When untreated mistake appears in system, will call specific page " error.aspx " and be shown to the user now.System just can avoid suffering the attack of malice error message like this.
Adopt technical scheme of the present invention; can be effectively at the above-mentioned problems in the prior art; provide sufficient protection at rough power attack; improve the security of storage mode and control of authority; elimination is revealed too much sensitive information at the wrong page, and prevents that script from injecting and script is attacked the threat that brings.
Claims (4)
1. the security component of Database Systems is characterized in that, comprises login security component and data processing security component, wherein:
The login security component comprises interface generation module, identifying code authentication module, password authentication module and forms status identifier authentication module, wherein,
The interface generation module provides user name input interface, password input interface, identifying code input interface and forms status identifier input interface on login page;
The identifying code authentication module obtains identifying code by the identifying code input interface, compares with the identifying code of setting, and both unanimities are then carried out follow-up step, both inconsistent then refusal logins;
The code data interface obtains password by the code data interface, carries out cryptographic calculation for password, and result who obtains and the password through cryptographic calculation that is kept in the database are compared, and both unanimities are then carried out follow-up step, both inconsistent then refusal logins;
Forms status identifier authentication module obtains the forms status identifier by forms status identifier input interface, compares with the forms status identifier copy that is kept in the database, and both unanimities then allow login, both inconsistent then refusal logins;
The data processing security component comprises data interaction module, format verification module, code replacement module, code coding module and wrong page generation module, wherein,
The data interaction module receives the input data, and produces response data according to the result for deal with data;
The form of the described input data of format verification module verification produces by signal for the input data that meet format specification, produces the refusal signal and offers wrong page generation module for the input data that do not meet format specification;
Code is replaced module and is scanned described input data, the code of stipulating is replaced to replace symbol;
The code coding module is connected to code and replaces module, the data data of replacing resume module through code are carried out code coding, can run time version coding back input data offer described Database Systems, can not run time version coded data data offer wrong page generation module;
Mistake page generation module is connected to format verification module and code coding module, produces the unified wrong page and offers the data interaction module as response data.
2. the security component of Database Systems as claimed in claim 1 is characterized in that, described identifying code is numeral or the character that shows with the picture form.
3. the security component of Database Systems as claimed in claim 1, it is characterized in that, described password through cryptographic calculation is the password that carries out cryptographic calculation through the md5 encryption algorithm, and the code data interface obtains password by the code data interface and also carries out cryptographic calculation by the md5 encryption algorithm.
4. the security component of Database Systems as claimed in claim 1 is characterized in that,
The code that described code is replaced the regulation that module replaces comprise " { ", " } ", " [", "] " and "; ", replace symbol and be the space.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101977573A CN102054132A (en) | 2009-10-27 | 2009-10-27 | Security component of database system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101977573A CN102054132A (en) | 2009-10-27 | 2009-10-27 | Security component of database system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102054132A true CN102054132A (en) | 2011-05-11 |
Family
ID=43958442
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009101977573A Pending CN102054132A (en) | 2009-10-27 | 2009-10-27 | Security component of database system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102054132A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410532A (en) * | 2014-12-12 | 2015-03-11 | 携程计算机技术(上海)有限公司 | Server and log filtering method thereof |
| CN109064300A (en) * | 2018-06-25 | 2018-12-21 | 武汉凡果信息技术股份有限公司 | A kind of financial management system and its management method |
| CN112346775A (en) * | 2020-09-21 | 2021-02-09 | 杭州数智政通科技有限公司 | General index data processing method, electronic device and storage medium |
| CN117728993A (en) * | 2023-12-01 | 2024-03-19 | 招商局检测认证(重庆)有限公司 | Intelligent fire-fighting user login safety comprehensive management system |
-
2009
- 2009-10-27 CN CN2009101977573A patent/CN102054132A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410532A (en) * | 2014-12-12 | 2015-03-11 | 携程计算机技术(上海)有限公司 | Server and log filtering method thereof |
| CN109064300A (en) * | 2018-06-25 | 2018-12-21 | 武汉凡果信息技术股份有限公司 | A kind of financial management system and its management method |
| CN112346775A (en) * | 2020-09-21 | 2021-02-09 | 杭州数智政通科技有限公司 | General index data processing method, electronic device and storage medium |
| CN112346775B (en) * | 2020-09-21 | 2024-02-02 | 杭州数智政通科技有限公司 | Index data general processing method, electronic device and storage medium |
| CN117728993A (en) * | 2023-12-01 | 2024-03-19 | 招商局检测认证(重庆)有限公司 | Intelligent fire-fighting user login safety comprehensive management system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11757641B2 (en) | Decentralized data authentication | |
| CN103117998B (en) | A kind of safety encryption based on JavaEE application system | |
| CN102043804A (en) | Safety login method of database system | |
| Curphey et al. | A guide to building secure web applications | |
| Lungu et al. | Optimizing Anti-Phishing Solutions Based on User Awareness, Education and the Use of the Latest Web Security Solutions. | |
| CN102054132A (en) | Security component of database system | |
| Singh et al. | High Performance Computing (HPC) Data Center for Information as a Service (IaaS) Security Checklist: Cloud Data Governance. | |
| Lepofsky | The manager's guide to web application security: a concise guide to the weaker side of the web | |
| Rajba et al. | Data hiding using code obfuscation | |
| Barde | Blockchain-based cyber security | |
| KR102336416B1 (en) | A system and method for logging in to a website through identification of the mobile phone by combining the website ID and password with a mobile phone number and entering the mobile phone number on the website | |
| Kang et al. | A study on the needs for enhancement of personal information protection in cloud computing security certification system | |
| Alanazi et al. | The history of web application security risks | |
| Queiroz et al. | Breach of internet privacy through the use of cookies | |
| Akinsola et al. | Applications of Blockchain Technology in Cyber Attacks Prevention | |
| Adams et al. | Guide to Securing Scientific Software | |
| Karunarathne et al. | Enhancing security of ICA-AtoM: The web based archival description software | |
| Desai et al. | The web: a hacker's heaven and an on-line system | |
| Omar | Battlefield malware and the fight against cyber crime | |
| Nguyen | Security in the web development process | |
| MACENA | CYBER SECURITY AND DATA PROTECTION | |
| Ananya | ADDING A TIMER TO CAPTCHA-BASED RGB COLOR AUTHENTICATION | |
| Kushe | Security assessment of web applications | |
| Riaz et al. | Analysis of Web based Structural Security Patterns by Employing Ten Security Principles | |
| Ilchev et al. | Modular data hiding for improved web-portal security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110511 |