CN102065067A

CN102065067A - Method and device for preventing replay attack between portal server and client

Info

Publication number: CN102065067A
Application number: CN2009102375275A
Authority: CN
Inventors: 刘洋; 伊莉娜
Original assignee: Hangzhou H3C Technologies Co Ltd
Current assignee: New H3C Technologies Co Ltd
Priority date: 2009-11-11
Filing date: 2009-11-11
Publication date: 2011-05-18
Anticipated expiration: 2029-11-11
Also published as: CN102065067B

Abstract

The invention provides a method and device for preventing an replay attack between a portal server and a client. In the invention, the portal server is used for distributing the corresponding serial number, such as user serial number or downline serial number, for the client, and detecting a replay message by using the serial number in the downline authentication process, thereby effectively preventing the replay attack of the downline request message and enhancing the security of the portal authentication system.

Description

A kind of between portal server and client the method and apparatus of anti-replay-attack

Technical field

The present invention relates to the secure authentication technology field, be specifically related to a kind of between door (Portal) Portal server and Portal client the method and apparatus of anti-replay-attack.

Background technology

The Portal authentication is also referred to as web authentication usually, promptly carries out authentification of user by webpage (Web) mode.Generally the Portal authentication website is called portal website.The Portal authentication protocol is mainly used in the broadband access authentication system based on WEB, finishes user's authentication and authorization.During the unauthenticated user online, the equipment force users signs in to particular station, and the user can free access service wherein.When the user needs out of Memory in the internet usage, must authenticate in portal website, have only authentication by afterwards the user just can the internet usage resource.

Whole Portal verification process has related to authentication Portal client (Portal Client), certificate server (Portal Server), BAS Broadband Access Server (BAS, Broad Access Server) and Certificate Authority and charging (AAA, Authentication Authorization Accounting) server.Authentication is main, and agreement adopts non-proper client/server (Client/Server) structure by the protocol interaction between Portal Server and BAS, and most of message adopts request (Request/Response) mode to carry out alternately.

At present, the Portal client initiatively requires the handling process that rolls off the production line as shown in Figure 1.In the process that the Portal client initiatively requires to roll off the production line, the Portal client can send the request message (LOGOUT_REQUEST (0x66)) that rolls off the production line by former head's trend Portal server, wherein authentication (Authenticator) field in this request message that rolls off the production line is the preset shared key of part field in this request message that rolls off the production line and Portal client to be carried out Message-Digest Algorithm 5 (MD5, Message-Digest algorithm 5) digest calculations draw.After Portal server is received the above-mentioned request message that rolls off the production line, will carry out MD5 digest according to the preset shared key of part field in this request message and Portal server and calculate a value, and and the value of the Authenticator field of Portal client compare, if it is identical, just think that message is legal, execution is mutual with BAS's, returns the back message using that rolls off the production line to the Portal client at last; Otherwise just think simply to abandon the message mistake, and carry out statistics dropping packets.Above-mentioned processing procedure is the verification process of Portal server for the Portal client.In order to finish this verification process, require Portal server need dispose identical preset shared key (Secret) with Portal client two ends, and both sides adopt identical cryptographic algorithm (as the cryptographic algorithm of the MD5 that describes among the RFC1321), the recipient is in order to verify the correctness of received message simultaneously, must adopt and the duplicate computational process of transmit leg, promptly predetermined field be carried out computations.

There is the safety problem of go-between's Replay Attack in the Portal client of the prior art implementation that rolls off the production line.If the person that has the man-in-the-middle attack between Portal client and Portal server, it listens to the Portal client behind certain request message that initiatively rolls off the production line once that Portal server sends, and this message is preserved.When this Portal client once more by authentication, when normally reaching the standard grade, the man-in-the-middle attack person to Portal server this message of resetting, will cause Portal server that this Portal client is played and roll off the production line suddenly.If the man-in-the-middle attack person has preserved the request message that initiatively rolls off the production line of a large amount of different Portal clients of Portal client, and irregularly deliberately reset, will cause taking place the improper situation about going offline of a large amount of Portal clients, and then can also derive other attack, as: Session Hijack, trusting relationship is stolen etc. between main frame.

Summary of the invention

Technical problem to be solved by this invention provide a kind of between Portal server and Portal client the method and apparatus of anti-replay-attack, the Replay Attack of the request message that prevents from effectively to roll off the production line, the fail safe that improves the Portal Verification System.

For solving the problems of the technologies described above, it is as follows to the invention provides scheme:

A kind of between Portal server and Portal client the method for anti-replay-attack, comprising:

Steps A, Portal server receive the request message that rolls off the production line at a Portal client, include an IP address of first authenticator, first user's sequence number and a Portal client in the described request message that rolls off the production line;

Step B, Portal server is searched second user's sequence number of a described IP address correspondence in the mapping table that preserve this locality, and judge whether first, second user's sequence number is identical: if then enter step C, otherwise abandon described request message and the process ends of rolling off the production line; Wherein, preserve described Portal server in the described mapping table and be the corresponding relation between each online Portal client IP address allocated and the user's sequence number, and arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice probability is not more than predetermined value;

Step C, Portal server is according to predetermined digest algorithm, predetermined field in preset shared key and the described request message that rolls off the production line is carried out digest calculations, obtain second authenticator, and judge whether first, second authenticator is identical: if judge that then the authentication of rolling off the production line of a described Portal client is passed through; Otherwise, abandon described request message and the process ends of rolling off the production line; Wherein, described predetermined field includes described first user's sequence number.

Preferably, in the said method, also comprise:

Described Portal server is reached the standard grade after authentication passes through in each Portal client, is each Portal client distributing user sequence number, and the user's sequence number that is distributed is carried at authentication sends to corresponding Portal client in the back message using.

Preferably, in the said method,

Describedly be for each Portal client distributing user sequence number:

For arbitrary Portal client, in predetermined numerical space, select a numerical value at random, as user's sequence number of this Portal client; Perhaps, according to each Portal client sequencing of passing through of authentication of reaching the standard grade, the numerical value in the predetermined numerical space is distributed to each Portal client in turn, as user's sequence number of each Portal client.

Preferably, in the said method, among the described step C, after the authentication of rolling off the production line of judging a described Portal client is passed through, described IP address of preserving in the described mapping table of the further deletion of described Portal server and the corresponding relation between described second user's sequence number.

The present invention also provides the method for another kind anti-replay-attack between Portal server and Portal client, comprising:

The one Portal client is when needs roll off the production line, send the request message that rolls off the production line to Portal server, include an IP address and first user's sequence number of first authenticator, a Portal client in the described request message that rolls off the production line, wherein, described first user's sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and arbitrary Portal client is assigned to the probability of same user's sequence number less than predetermined value in the back of reaching the standard grade at every turn by described Portal server; Described first authenticator is according to predetermined digest algorithm, and it is resulting that the predetermined field in preset shared key and the described request message that rolls off the production line is carried out digest calculations, and described predetermined field includes described first user's sequence number;

Wherein, first user's sequence number in the described request message that rolls off the production line is used to offer described Portal server and second user's sequence number compares, and first, second user's sequence number abandons the described request message that rolls off the production line when inequality, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, preserve described Portal server in the described mapping table and be the corresponding relation between each online Portal client IP address allocated and the user's sequence number, and arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice probability is not more than predetermined value;

First authenticator in the described request message that rolls off the production line then is used to offer described Portal server and second authenticator compares, and when first, second authenticator is identical, judge a described Portal client roll off the production line the authentication pass through, when described first, second authenticator is inequality, abandon the described request message that rolls off the production line; Wherein, described second authenticator be described Portal server when described first, second user's sequence number is identical, according to predetermined digest algorithm preset shared key and described predetermined field are carried out that digest calculations obtains.

Preferably, in the said method, before sending the described request message that rolls off the production line, described method also comprises:

The one Portal client sends the request message of reaching the standard grade to Portal server when this Portal client need be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, carrying described Portal server in the described back message using of reaching the standard grade is user's sequence number that a described Portal client is distributed.

The invention provides a kind of Portal server, comprising:

Receiving element is used to receive the request message that rolls off the production line at a Portal client, includes an IP address of first authenticator, first user's sequence number and a Portal client in the described request message that rolls off the production line;

First judging unit, the mapping table that is used for preserving in this locality is searched second user's sequence number of a described IP address correspondence, and judges whether first, second user's sequence number is identical: if then trigger second judging unit; Otherwise abandon the described request message that rolls off the production line; Wherein, preserve described Portal server in the described mapping table and be the corresponding relation between each online Portal client IP address allocated and the user's sequence number, and arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice probability is not more than predetermined value;

Second judging unit, according to predetermined digest algorithm, predetermined field in preset shared key and the described request message that rolls off the production line is carried out digest calculations, obtain second authenticator, and judge whether first, second authenticator is identical: if judge that then the authentication of rolling off the production line of a described Portal client is passed through; Otherwise, abandon the described request message that rolls off the production line; Wherein, described predetermined field includes described first user's sequence number.

Preferably, in the above-mentioned Portal server, also comprise:

The serial number assignment unit is used for reaching the standard grade after authentication passes through in each Portal client, is each Portal client distributing user sequence number, and the user's sequence number that is distributed is carried at authentication sends to corresponding Portal client in the back message using.

Preferably, in the above-mentioned Portal server,

Described serial number assignment unit also is used for for arbitrary Portal client, selects a numerical value at random in predetermined numerical space, as user's sequence number of this Portal client; Perhaps, be used for the numerical value in the predetermined numerical space being distributed to each Portal client in turn, as user's sequence number of each Portal client according to each Portal client sequencing of passing through of authentication of reaching the standard grade.

The present invention also provides a kind of Portal client, comprising:

Processing unit rolls off the production line, this Portal client is used for when need roll off the production line, send the request message that rolls off the production line to described Portal server, include first authenticator in the described request message that rolls off the production line, the one IP address of the one Portal client and first user's sequence number, wherein, described first user's sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and arbitrary Portal client is assigned to the probability of same user's sequence number less than predetermined value in the back of reaching the standard grade at every turn by described Portal server; Described first authenticator is according to predetermined digest algorithm, and it is resulting that the predetermined field in preset shared key and the described request message that rolls off the production line is carried out digest calculations, and described predetermined field includes described first user's sequence number;

Wherein, first user's sequence number in the described request message that rolls off the production line is used for comparing for described Portal server and second user's sequence number, and first, second user's sequence number abandons the described request message that rolls off the production line when inequality, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, preserve described Portal server in the described mapping table and be the corresponding relation between each online Portal client IP address allocated and the user's sequence number, and arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice probability is not more than predetermined value;

Preferably, in the above-mentioned Portal client, also comprise:

The processing unit of reaching the standard grade, be used for when this Portal client need be reached the standard grade, sending the request message of reaching the standard grade to Portal server, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, carrying described Portal server in the described back message using of reaching the standard grade is user's sequence number that a described Portal client is distributed.

The present invention also provide a kind of between Portal server and Portal client the method for anti-replay-attack, comprising:

Step 1, Portal server receive the request message that rolls off the production line at a Portal client, include roll off the production line an IP address of a sequence number and a Portal client of first authenticator, first in the described request message that rolls off the production line;

Step 2, Portal server judge whether described first sequence number that rolls off the production line is within the sliding window scope of anti-replay of local maintenance: if then enter step 3, otherwise abandon described request message and the process ends of rolling off the production line; Wherein, to be respectively that described Portal server is current dispensed and as yet not by the maximum and reckling in the sequence number that rolls off the production line of Portal client of the authentication of rolling off the production line at the two ends of described sliding window, the distribution of the described sequence number that rolls off the production line is to ask Portal server being used to of receiving that each Portal client sends when needs roll off the production line to roll off the production line behind the serial number request message of sequence number, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;

Step 3, Portal server is according to predetermined digest algorithm, predetermined field in preset shared key and the described request message that rolls off the production line is carried out digest calculations, obtain second authenticator, and judge whether first, second authenticator is identical: if judge that then the authentication of rolling off the production line of a described Portal client is passed through; Otherwise, abandon described request message and the process ends of rolling off the production line; Wherein, include described first sequence number that rolls off the production line in the described predetermined field.

Preferably, in the said method, also comprise:

Described Portal server receives that each Portal client sends when needs roll off the production line is used to ask to roll off the production line behind the serial number request message of sequence number, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.

The present invention provide again a kind of between Portal server and Portal client the method for anti-replay-attack, comprising:

The one Portal client is when needs roll off the production line, send the serial number request message of the sequence number that is used to ask to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, carrying described Portal server in the described sequence number back message using is the sequence number that rolls off the production line that a described Portal client is distributed, wherein, the distribution of the described sequence number that rolls off the production line is described Portal server according to the sequencing that receives the serial number request message that each Portal client sends, for each Portal client is distributed in turn;

The one Portal client sends the request message that rolls off the production line to described Portal server, include roll off the production line an IP address of a sequence number and a Portal client of first authenticator, described first in the described request message that rolls off the production line, wherein, described first authenticator is according to predetermined digest algorithm, it is resulting that predetermined field in preset shared key and the described request message that rolls off the production line is carried out digest calculations, and described predetermined field includes described first sequence number that rolls off the production line;

Wherein, in the described request message that rolls off the production line first sequence number that rolls off the production line is used for judging whether to be within the sliding window scope of the anti-replay that described Portal server safeguards for described Portal server, and abandons the described request message that rolls off the production line for not the time in judged result; Wherein, to be respectively that described Portal server is current dispensed and as yet not by the maximum and reckling in the sequence number that rolls off the production line of Portal client of the authentication of rolling off the production line at the two ends of described sliding window;

First authenticator in the described request message that rolls off the production line is used for comparing for the described Portal server and second authenticator, and when first, second authenticator is identical, judge a described Portal client roll off the production line the authentication pass through, when described first, second authenticator is inequality, abandon the described request message that rolls off the production line; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described second authenticator, preset shared key and described predetermined field carried out that digest calculations obtains according to predetermined digest algorithm.

The present invention also provides another kind of Portal server, comprising:

Receiving element is used to receive the request message that rolls off the production line at a Portal client, includes roll off the production line an IP address of a sequence number and a Portal client of first authenticator, first in the described request message that rolls off the production line;

First judging unit is used to judge whether described first sequence number that rolls off the production line is within the sliding window scope of anti-replay of local maintenance: if then trigger second judging unit, otherwise abandon the described request message that rolls off the production line; Wherein, to be respectively that described Portal server is current dispensed and as yet not by the maximum and reckling in the sequence number that rolls off the production line of Portal client of the authentication of rolling off the production line at the two ends of described sliding window, the distribution of the described sequence number that rolls off the production line is to ask Portal server being used to of receiving that each Portal client sends when needs roll off the production line to roll off the production line behind the serial number request message of sequence number, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;

Second judging unit, be used for according to predetermined digest algorithm, predetermined field in preset shared key and the described request message that rolls off the production line is carried out digest calculations, obtain second authenticator, and judge whether first, second authenticator is identical: if judge that then the authentication of rolling off the production line of a described Portal client is passed through; Otherwise, abandon the described request message that rolls off the production line; Wherein, include described first sequence number that rolls off the production line in the described predetermined field.

Preferably, in the above-mentioned Portal server, also comprise:

The serial number assignment unit, after being used for asking to roll off the production line the serial number request message of sequence number in being used to of receiving that each Portal client sends when needs roll off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.

The present invention also provides another kind of Portal client, comprising:

The serial number request unit, this Portal client is used for when need roll off the production line, send the serial number request message of the sequence number that is used to ask to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, carrying described Portal server in the described sequence number back message using is the sequence number that rolls off the production line that a described Portal client is distributed, wherein, the distribution of the described sequence number that rolls off the production line is described Portal server according to the sequencing that receives the serial number request message that each Portal client sends, for each Portal client is distributed in turn;

Processing unit rolls off the production line, be used for sending the request message that rolls off the production line to described Portal server, include roll off the production line an IP address of a sequence number and a Portal client of first authenticator, described first in the described request message that rolls off the production line, wherein, described first authenticator is according to predetermined digest algorithm, it is resulting that predetermined field in preset shared key and the described request message that rolls off the production line is carried out digest calculations, and described predetermined field includes described first sequence number that rolls off the production line;

Wherein, in the described request message that rolls off the production line first sequence number that rolls off the production line is used for judging for described Portal server whether this first sequence number that rolls off the production line is within the sliding window scope of the local anti-replay that is provided with of described Portal server, and abandons the described request message that rolls off the production line for not the time in judged result; Wherein, to be respectively that described Portal server is current dispensed and as yet not by the maximum and reckling in the sequence number that rolls off the production line of Portal client of the authentication of rolling off the production line at the two ends of described sliding window;

From the above as can be seen, provided by the invention between Portal server and Portal client the method and apparatus of anti-replay-attack, by the Portal client is that client is distributed corresponding sequence number (as the user's sequence number or the sequence number that rolls off the production line), and in the verification process that rolls off the production line, utilize this sequence number to detect the playback message, thereby the Replay Attack of the request message that can prevent from effectively to roll off the production line, the fail safe that improves the Portal Verification System.

Description of drawings

Fig. 1 initiatively requires the schematic flow sheet that rolls off the production line for the Portal client of prior art;

Fig. 2 is the schematic flow sheet of the method for the embodiment of the invention 1 described anti-replay-attack;

Fig. 3 is the form schematic diagram of portal protocol message;

Fig. 4 is the structural representation of the embodiment of the invention 1 described Portal server;

Fig. 5 is the structural representation of the embodiment of the invention 1 described Portal client;

Fig. 6 is the schematic flow sheet of the method for the embodiment of the invention 2 described anti-replay-attacks;

Fig. 7 is the structural representation of the embodiment of the invention 2 described Portal server;

Fig. 8 is the structural representation of the embodiment of the invention 2 described Portal clients.

Embodiment

Exist the reason of go-between's Replay Attack safety problem to be in the prior art, the Portal server in the prior art scheme mainly is this credibility of having verified in the request message that rolls off the production line.In other words, checking be the part specific field of request message of rolling off the production line, the trusted relationships between this three of authentication code (Authenticator) field in the preset shared key and the request message that rolls off the production line.Be merely able to guarantee, to detect the credibility of this request message according to the verification process of this relation if promptly this message victim was distorted.But, can not verify to that is to say first property of this request message, can not distinguish this request message and whether repeat to send.

Main thought of the present invention is in the proof procedure of Portal server for the Portal client, by the credible factor of introducing and this Portal User is associated, to solve the safety problem that go-between's Replay Attack causes.Below with reference to accompanying drawing, the present invention is further illustrated by specific embodiment.

＜embodiment 1 〉

In the present embodiment, Portal server distributes user's sequence number for this Portal client after arbitrary Portal client is reached the standard grade, and for same Portal client, Portal server guarantees that as far as possible this Portal client is assigned to different user's sequence numbers at every turn after reaching the standard grade, and Portal server is preserved user's sequence number of each online Portal client and the corresponding relation between the IP address in this locality, and then after receiving the request message that rolls off the production line of Portal client, according to the user's sequence number that carries in the corresponding relation of this locality preservation and the request message that rolls off the production line, verify first property of this message.

As shown in Figure 2, the method for anti-replay-attack between Portal server and Portal client that present embodiment provides may further comprise the steps:

Step 21, Portal client send the request message (login_request) of reaching the standard grade to Portal server when needs are reached the standard grade; Portal server is after the authentication of reaching the standard grade of this Portal client is passed through, be this Portal client distributing IP address and user's sequence number, and return one to this Portal client and be used to the back message using of reaching the standard grade (login_response) of indicating authentication to pass through, comprise a field (as self-defining USER_SEQNUM field) in this back message using of reaching the standard grade, this field carries distributes to this Portal client, be used for user's sequence number of this Portal client of unique identification, simultaneously, Portal server is preserved the IP address of this Portal client of distribution and the corresponding relation between user's sequence number also at mapping table of local maintenance in this mapping table.After the Portal client received the back message using of reaching the standard grade, therefrom extracting Portal server was its IP address allocated and user's sequence number, and after this Portal client can be used this IP address access internet.

Here, Portal server is when being Portal client distributing user sequence number, and the probability that needs assurance Portal client to be assigned to same user's sequence number after homogeneous is not reached the standard grade is not more than predetermined value, and the concrete method of salary distribution can be:

1) in the numerical space of a pre-sizing (being assumed to be N), numerical value of picked at random is as user's sequence number of Portal client.Under this method of salary distribution, suppose that the Portal client is assigned to user's sequence number 1 after reaching the standard grade for the 1st time, the probability that then still is assigned to user's sequence number 1 after reaching the standard grade for the 2nd time is 1/N.As long as N is enough big, it is enough little just can to guarantee that the Portal client is assigned to the probability of same user's sequence number after homogeneous is not reached the standard grade.For example, get 2 as N ³²Or 2 ⁶⁴The time, can satisfy the demand of the anti-replay-attack in the actual use.

2) according to each Portal client sequencing of passing through of authentication of reaching the standard grade, the numerical value in the predetermined numerical space (being assumed to be N) is distributed to each Portal client in turn, as user's sequence number of each Portal client.In this case, suppose that the Portal client is assigned to user's sequence number 1 after reaching the standard grade for the 1st time, then after reaching the standard grade for the 2nd time, still be assigned to the probability of user's sequence number 1 less than 1/N.

Here, distributing in turn can be to increase progressively distribution in turn, the sequencing that passes through of authentication of reaching the standard grade as the Portal client is: Portal client 1, Portal client 2, Portal client 3 ..., be so Portal client 1, Portal client 2, Portal client 3 ... user's sequence number of distribution is respectively: n, n+1, n+2 ....The user's sequence number that distributes reach numerical space in limited time, then continue to begin circulation and distribute from the lower limit of numerical space.

Distributing in turn can also be distributions of successively decreasing in turn, at this moment for above-mentioned Portal client 1, Portal client 2, Portal client 3 ... user's sequence number of distribution then is respectively: n, n-1, n-2 ....Reach the following of numerical space at the user's sequence number that distributes and prescribe a time limit, then continue to begin circulation and distribute from the upper limit of numerical space.

Illustrated in the following table 1 mapping table that Portal server safeguards in the content that may comprise.Wherein user's sequence number of every row and IP address are exactly user's sequence number and the IP address that Portal server distributes for certain client.

Table 1

From present embodiment hereinafter as can be seen, in the present embodiment, the Portal server inspection be to distribute to the IP address of this Portal client and the corresponding relation between user's sequence number by Portal server.And some clients are on homogeneous not in the line process, and the probability that is assigned to identical IP address and identical user's sequence number just is lower, with 2 ⁶⁴User's sequence number numerical value space of size is an example, and this probability is: 1/m*2 ⁶⁴, suppose that wherein m is that the allocatable space and the IP address of IP address also is Random assignment.This probability is extremely small, and is enough the anti-replay demand in present actual the use.Stronger if desired safety assurance can consider further to increase the size in user's sequence number numerical value space; Can also periodically between Portal client and Portal server, carry out the renewal of preset shared key.

Step 22, suppose certain Portal client, need roll off the production line as a Portal client, the one Portal client will send the request message that rolls off the production line to Portal server, include first authenticator in the described request message that rolls off the production line, the one IP address of described first a user's sequence number and a Portal client, wherein, described first authenticator is that a Portal client is according to predetermined digest algorithm, it is resulting that predetermined field in the described request message that rolls off the production line and local preset shared key of preserving are carried out digest calculations, and described predetermined field includes described first user's sequence number.

Here, first user's sequence number in the described request message that rolls off the production line is used to offer described Portal server and second user's sequence number compares, and first, second user's sequence number abandons the described request message that rolls off the production line when inequality, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, preserve described Portal server in the described mapping table and be the corresponding relation between each online Portal client IP address allocated and the user's sequence number, and arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice probability is not more than predetermined value.When first, second user's sequence number is identical, first authenticator in the described request message that rolls off the production line then is used to offer described Portal server and second authenticator compares, and when first, second authenticator is identical, judge a described Portal client roll off the production line the authentication pass through, when described first, second authenticator is inequality, abandon the described request message that rolls off the production line; Wherein, described second authenticator be described Portal server when described first, second user's sequence number is identical, according to predetermined digest algorithm preset shared key and described predetermined field are carried out that digest calculations obtains.

Here, a Portal client needs according to predetermined digest algorithm (as MD5) predetermined field in the request message that rolls off the production line and preset shared key to be carried out digest calculations.The request message that rolls off the production line is a kind of portal protocol message, and the form of portal protocol message as shown in Figure 3.In the present embodiment, the described predetermined field that is used to carry out digest calculations comprises: 0 and Attributes field of Ver field, the type field, PAP/CHAP field, Rsvd field, SerialNo field, ReqID field, UserIP field, UserPort field, ErrCode field, AttrNum field, 16 bytes, first authenticator that calculates then are carried at authentication code (Authenticator) field in the authentication request packet.Wherein, first user's sequence number is included among the sub-attribute field USER_SEQNUM in the Attributes field.

Step 23, after Portal server receives the above-mentioned request message that rolls off the production line at a Portal client, from this message, extract an IP address and first user's sequence number of a Portal client, and in the mapping table that preserve this locality, search second user's sequence number of a described IP address correspondence, and judge whether described second user's sequence number is identical with described first user's sequence number: if, then enter step 24, otherwise enter step 26;

Step 24, Portal server is according to predetermined digest algorithm, described predetermined field in the described request message that rolls off the production line and local preset shared key of preserving are carried out digest calculations, obtain second authenticator, and judge whether first authenticator that carries in the described request message that rolls off the production line is identical with described second authenticator: if then enter step 25; Otherwise enter step 26.

Here, the preset shared key that the server and client side preserves separately is identical, and the method for synchronous of sharing key is same as the prior art.

Step 25, Portal server judge a described Portal client roll off the production line the authentication pass through.After the authentication of rolling off the production line of a described Portal client is passed through, Portal server will be according to the identical processing mode of prior art, the relevant information that continuation and the mutual Portal client-requested of BAS roll off the production line, and after receiving the response message that BAS returns, return the back message using that rolls off the production line to a Portal client, be used for indication and roll off the production line successfully.After the one Portal client is received this back message using that rolls off the production line, think and oneself successfully roll off the production line.

Step 26, Portal server are judged the authentification failure that rolls off the production line of a described Portal client, directly abandon described request message and the process ends of rolling off the production line this moment.

From above flow process as can be seen, user's sequence number that the Portal client is assigned to after reaching the standard grade at every turn in the present embodiment usually can be not identical, and the Portal client also includes the information of user's sequence number with the factor of user's sequence number as the MD5 digest computing in the feasible request message that rolls off the production line.Like this, when the go-between assailant intercepts certain request message that rolls off the production line once that the Portal client sends to Portal server, and reset this request message that rolls off the production line when attacking in this Portal client back of reaching the standard grade once more, because the user's sequence number in this request message that rolls off the production line is different with the current user's sequence number that is assigned with of this Portal client, therefore can to judge this request message that rolls off the production line be a playback message to Portal server, so this message is carried out discard processing, makes assailant's attack fail.User's sequence number that Portal server is distributed when reaching the standard grade even the assailant has intercepted and captured Portal client the last time, and when using the corresponding field in the alternative request message of resetting that rolls off the production line of this user's sequence number, Portal server still can detect by above-mentioned steps 24, therefore Portal server is when carrying out the MD5 computing according to the predetermined field (this predetermined field comprises user's sequence number) in the request message that rolls off the production line and preset shared key, can find that the authenticator that carries in operation result and this request message that rolls off the production line is different, therefore judge that this request message that rolls off the production line has taken place to distort, so the request message that still this rolled off the production line abandons.

Present embodiment also provides the equipment of the method that is used to implement above-mentioned anti-replay-attack, specifically comprises Portal server and Portal client.

Wherein, as shown in Figure 4, the Portal server that present embodiment provides comprises:

First judging unit, the mapping table that is used for preserving in this locality is searched second user's sequence number of a described IP address correspondence, and judges whether described second user's sequence number is identical with described first user's sequence number: if then trigger second judging unit; Otherwise abandon the described request message that rolls off the production line; Wherein, preserve described Portal server in the described mapping table and be the corresponding relation between each online Portal client IP address allocated and the user's sequence number, and arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice probability is not more than predetermined value;

Preferably, Portal server shown in Figure 4 also comprises: the serial number assignment unit, be used for each Portal client reach the standard grade the authentication pass through after, be each Portal client distributing user sequence number, and the user's sequence number that is distributed is carried at the Portal client that sends to correspondence in the authentication back message using.Concrete, described serial number assignment unit also is used for for arbitrary Portal client, selects a numerical value at random in predetermined numerical space, as user's sequence number of this Portal client; Perhaps, be used for the numerical value in the predetermined numerical space being distributed to each Portal client in turn, as user's sequence number of each Portal client according to each Portal client sequencing of passing through of authentication of reaching the standard grade.

As shown in Figure 5, the Portal client that present embodiment provides comprises:

Processing unit rolls off the production line, this Portal client is used for when need roll off the production line, send the request message that rolls off the production line to described Portal server, include an IP address and first user's sequence number of first authenticator, a Portal client in the described request message that rolls off the production line, wherein, described first user's sequence number is that described Portal server is the sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and arbitrary Portal client is assigned to the probability of same user's sequence number less than predetermined value in the back of reaching the standard grade at every turn by described Portal server; Described first authenticator is according to predetermined digest algorithm, and it is resulting that the predetermined field in preset shared key and the described request message that rolls off the production line is carried out digest calculations, and described predetermined field includes described first user's sequence number;

When first, second user's sequence number is identical, first authenticator in the described request message that rolls off the production line is used for comparing for the described Portal server and second authenticator, and when first, second authenticator is identical, judge a described Portal client roll off the production line the authentication pass through, when described first, second authenticator is inequality, abandon the described request message that rolls off the production line; Wherein, described second authenticator be described Portal server when described first, second user's sequence number is identical, according to predetermined digest algorithm preset shared key and described predetermined field are carried out that digest calculations obtains.

Preferably, Portal client shown in Figure 5 also comprises:

＜embodiment 2 〉

In the present embodiment, the Portal client is when rolling off the production line, need earlier to sequence number that rolls off the production line of Portal server request, this sequence number that rolls off the production line is to distribute to each Portal client in turn, that is, and and according to the order that rolls off the production line of each Portal client, the sequence number that increases progressively in turn or successively decrease in turn and distribute, and Portal server also is used for the sliding window of anti-replay in local maintenance one, utilizes this sliding window to detect first property of the request message that rolls off the production line.

As shown in Figure 6, the method for anti-replay-attack between Portal server and Portal client that present embodiment provides may further comprise the steps:

Step 61, Portal client at first send a serial number request message that is used to ask to roll off the production line sequence number to Portal server when needs roll off the production line;

Step 62, Portal server receives that each Portal client sends when needs roll off the production line is used to ask to roll off the production line behind the serial number request message of sequence number, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn, and, carry the sequence number that rolls off the production line of distributing to corresponding Portal client in the described sequence number back message using to each Portal client back message using that transmits Sequence Number respectively.Like this, each Portal client that need roll off the production line just can be extracted the roll off the production line sequence number of Portal server for oneself distributing from the sequence number back message using.

Here, distributing in turn can be to increase progressively distribution in turn, as the sequencing that receives the good request message of sequence number of each Portal client is: Portal client 1, Portal client 2, Portal client 3 ..., be so Portal client 1, Portal client 2, Portal client 3 ... the sequence number that rolls off the production line of distribution is respectively: n, n+1, n+2 ....Reach at the sequence number that rolls off the production line that distributes pre-sizing numerical space in limited time, then continue to begin circulation and distribute from the lower limit of numerical space.Here n is an integer.

Distributing in turn can also be distributions of successively decreasing in turn, at this moment for above-mentioned Portal client 1, Portal client 2, Portal client 3 ... the sequence number that rolls off the production line of distribution then is respectively: n, n-1, n-2 ....The following of numerical space that reaches pre-sizing at the sequence number that rolls off the production line that distributes prescribed a time limit, and then continues to begin circulation from the upper limit of numerical space and distributes.

The size of above-mentioned numerical space can as how much choosing of Portal client terminal quantity, for example get 2 according to actual application environment ³²Or 2 ⁶⁴Usually can satisfy the demand of the anti-replay-attack in the actual use.The present embodiment not concrete size in logarithm value space limits, even this numerical space is less, according to the processing mode of present embodiment, also can on certain probability, judge the message of Replay Attack, thus the Replay Attack of the request message that prevents to a certain extent to roll off the production line.

Step 63, the arbitrary Portal client (being assumed to be a Portal client) that rolls off the production line with needs is that example describes, the one Portal client is after receiving the back message using that rolls off the production line, extract the sequence number that rolls off the production line wherein carry (be assumed to be first roll off the production line sequence number), send the request message that rolls off the production line to described Portal server then, include first authenticator in the described request message that rolls off the production line, the described first IP address of rolling off the production line a sequence number and a Portal client, wherein, described first authenticator is according to predetermined digest algorithm, it is resulting that preset shared key that this locality is preserved and the predetermined field in the described request message that rolls off the production line are carried out digest calculations, and described predetermined field includes described first sequence number that rolls off the production line.

Here, in the described request message that rolls off the production line first sequence number that rolls off the production line is used for judging for described Portal server whether this first sequence number that rolls off the production line is within the sliding window scope of the anti-replay that described Portal server safeguards, and abandons the described request message that rolls off the production line for not the time in judged result; Wherein, to be respectively that described Portal server is current dispensed and as yet not by the maximum and reckling in the sequence number that rolls off the production line of Portal client of the authentication of rolling off the production line at the two ends of described sliding window;

Roll off the production line sequence number when being within the described sliding window scope described first, first authenticator in the described request message that rolls off the production line is used to offer described Portal server and second authenticator compares, and when first, second authenticator is identical, judge a described Portal client roll off the production line the authentication pass through, when described first, second authenticator is inequality, abandon the described request message that rolls off the production line; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described second authenticator, preset shared key and described predetermined field carried out that digest calculations obtains according to predetermined digest algorithm.

Step 64, after Portal server receives the described request message that rolls off the production line at a Portal client, extract first authenticator in the described request message that rolls off the production line, the first IP address of rolling off the production line a sequence number and a Portal client, judge then whether described first sequence number that rolls off the production line is within the sliding window scope of anti-replay of local maintenance, to be respectively that described Portal server is current dispense at the two ends of described sliding window, and as yet not by the maximum and reckling in the sequence number that rolls off the production line of Portal client of the authentication of rolling off the production line: if, then enter step 65, otherwise enter step 67.

Step 65, Portal server carries out digest calculations according to predetermined digest algorithm to the predetermined field in preset shared key and the described request message that rolls off the production line, and obtains second authenticator, and judges whether first, second authenticator is identical: if then enter step 66; Otherwise enter step 67.

Step 66, Portal server judge a described Portal client roll off the production line the authentication pass through.After the authentication of rolling off the production line of a described Portal client is passed through, Portal server will slide accordingly to described sliding window, make the two ends of sliding window be respectively that Portal server is current to have dispensed and the maximum and the reckling in the sequence number that rolls off the production line of the Portal client by the authentication of rolling off the production line not as yet.After the authentication of rolling off the production line of a described Portal client is passed through, Portal server also will be according to the handling process of prior art, the relevant information that continuation and the mutual Portal client-requested of BAS roll off the production line, and after receiving the response message that BAS returns, return to a Portal client and to be used to indicate the back message using that rolls off the production line of success of rolling off the production line, after the one Portal client is received this back message using that rolls off the production line, think and oneself successfully roll off the production line.

Here, after the authentication of rolling off the production line of a Portal client is passed through, Portal server may need described sliding window is carried out suitable sliding transfer, so that its two ends have dispensed and not corresponding by the maximum and reckling in the sequence number that rolls off the production line of Portal client of the authentication of rolling off the production line as yet with current respectively.

Step 67, Portal server are judged the authentification failure that rolls off the production line of a described Portal client, directly abandon described request message and the process ends of rolling off the production line this moment.

From above flow process as can be seen, the roll off the production line sliding window of sequence number of present embodiment utilization is verified first property of message, with the Replay Attack of the request message that prevents to roll off the production line.Utilize the request message that rolls off the production line of certain Portal client of previous intercepting and capturing to initiate Replay Attack as the assailant; because the sequence number that rolls off the production line in the request message of resetting that rolls off the production line can be in outside the sliding window usually; to cause this request message that rolls off the production line to be dropped, attack proves an abortion.Even it is the last sequence number that rolls off the production line that distributes of Portal client that the assailant has intercepted and captured Portal server, and use the corresponding field in the alternative previous request message of intercepting and capturing that rolls off the production line of this sequence number that rolls off the production line, Portal server still can detect by above-mentioned steps 65, therefore Portal server is when carrying out the MD5 computing according to the predetermined field (this predetermined field comprises the sequence number that rolls off the production line) in the request message that rolls off the production line and preset shared key, can find that the authenticator that carries in operation result and this request message that rolls off the production line is different, therefore judge that this request message that rolls off the production line has taken place to distort, so the request message that still this rolled off the production line abandons.

Wherein, as shown in Figure 7, the Portal server that present embodiment provides comprises:

Preferably, Portal server shown in Figure 7, also comprise: the serial number assignment unit, after being used for asking to roll off the production line the serial number request message of sequence number in being used to of receiving that each Portal client sends when needs roll off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.

Wherein, as shown in Figure 8, the Portal client that present embodiment provides comprises:

Wherein, in the described request message that rolls off the production line first sequence number that rolls off the production line is used for judging for described Portal server whether this first sequence number that rolls off the production line is within the sliding window scope of the local anti-replay that is provided with of described Portal server, and abandons the described request message that rolls off the production line for not the time in judged result; Wherein, to be respectively that described Portal server is current dispensed and as yet not by the maximum and reckling in the sequence number that rolls off the production line of Portal client of the authentication of rolling off the production line at the two ends of described sliding window.

Roll off the production line sequence number when being within the described sliding window scope described first, first authenticator in the described request message that rolls off the production line is used for comparing for the described Portal server and second authenticator, and when first, second authenticator is identical, judge a described Portal client roll off the production line the authentication pass through, when described first, second authenticator is inequality, abandon the described request message that rolls off the production line; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described second authenticator, preset shared key and described predetermined field carried out that digest calculations obtains according to predetermined digest algorithm.

In sum, in the method and apparatus of the anti-replay-attack that the embodiment of the invention provides, the Portal client is that client is distributed corresponding sequence number (as the user's sequence number or the sequence number that rolls off the production line), and in the verification process that rolls off the production line, utilize this sequence number to detect the playback message, thereby the Replay Attack of the request message that can prevent from effectively to roll off the production line, the fail safe that improves the Portal Verification System.

The above only is embodiments of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims

1. the method for an anti-replay-attack between Portal server and Portal client is characterized in that, comprising:

2. the method for claim 1 is characterized in that, also comprises:

3. method as claimed in claim 2 is characterized in that,

Describedly be for each Portal client distributing user sequence number:

4. method as claimed in claim 2, it is characterized in that, among the described step C, after the authentication of rolling off the production line of judging a described Portal client is passed through, described IP address of preserving in the described mapping table of the further deletion of described Portal server and the corresponding relation between described second user's sequence number.

5. the method for an anti-replay-attack between Portal server and Portal client is characterized in that, comprising:

6. method as claimed in claim 5 is characterized in that, before sending the described request message that rolls off the production line, described method also comprises:

7. a Portal server is characterized in that, comprising:

8. Portal server as claimed in claim 7 is characterized in that, also comprises:

9. Portal server as claimed in claim 8 is characterized in that,

10. a Portal client is characterized in that, comprising:

11. Portal client as claimed in claim 10 is characterized in that, also comprises:

The processing unit of reaching the standard grade, be used for when this Potal client need be reached the standard grade, sending the request message of reaching the standard grade to Portal server, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, carrying described Portal server in the described back message using of reaching the standard grade is user's sequence number that a described Portal client is distributed.

12. the method for an anti-replay-attack between Portal server and Portal client is characterized in that, comprising:

13. method as claimed in claim 12 is characterized in that, also comprises:

14. the method for an anti-replay-attack between Portal server and Portal client is characterized in that, comprising:

15. a Portal server is characterized in that, comprising:

16. Portal server as claimed in claim 15 is characterized in that, also comprises:

17. a Portal client is characterized in that, comprising: