CN102065067B - Method and device for preventing replay attack between portal server and client - Google Patents

Method and device for preventing replay attack between portal server and client Download PDF

Info

Publication number
CN102065067B
CN102065067B CN200910237527.5A CN200910237527A CN102065067B CN 102065067 B CN102065067 B CN 102065067B CN 200910237527 A CN200910237527 A CN 200910237527A CN 102065067 B CN102065067 B CN 102065067B
Authority
CN
China
Prior art keywords
production line
sequence number
portal
request message
rolls
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200910237527.5A
Other languages
Chinese (zh)
Other versions
CN102065067A (en
Inventor
刘洋
伊莉娜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN200910237527.5A priority Critical patent/CN102065067B/en
Publication of CN102065067A publication Critical patent/CN102065067A/en
Application granted granted Critical
Publication of CN102065067B publication Critical patent/CN102065067B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a method and device for preventing an replay attack between a portal server and a client. In the invention, the portal server is used for distributing the corresponding serial number, such as user serial number or downline serial number, for the client, and detecting a replay message by using the serial number in the downline authentication process, thereby effectively preventing the replay attack of the downline request message and enhancing the security of the portal authentication system.

Description

A kind of between portal server and client the method and apparatus of anti-replay-attack
Technical field
The present invention relates to secure authentication technology field, be specifically related to the method and apparatus of one anti-replay-attack between door (Portal) Portal server and Portal client.
Background technology
Portal authenticates conventionally also referred to as web authentication, carries out user by webpage (Web) mode and authenticates.Generally Portal authentication website is called to portal website.Portal authentication protocol is mainly used in the broadband access authentication system based on WEB, the authentication and authorization of completing user.When unauthenticated user online, equipment force users signs in to particular station, and user can free access service wherein.In the time that user need to use the out of Memory in the Internet, must authenticate in portal website, only have authentication just can use Internet resources by rear user.
Whole Portal verification process has related to authentication Portal client (Portal Client), certificate server (Portal Server), BAS Broadband Access Server (BAS, Broad Access Server) and Certificate Authority and charging (AAA, Authentication Authorization Accounting) server.Authentication is main by the protocol interaction between Portal Server and BAS, agreement adopts non-proper client/server (Client/Server) structure, and most of message adopts request/response (Request/Response) mode to carry out alternately.
At present, the Portal client handling process that initiatively requirement is rolled off the production line as shown in Figure 1.In the process that initiatively requires to roll off the production line in Portal client, Portal client can send the request message (LOGOUT_REQUEST (0x66)) that rolls off the production line by former head's trend Portal server, wherein this authentication (Authenticator) field rolling off the production line in request message is this preset shared key that rolls off the production line part field in request message and Portal client to be carried out to Message-Digest Algorithm 5 (MD5, Message-Digest algorithm 5) digest calculations draw.When Portal server is received above-mentioned rolling off the production line after request message, will carry out MD5 digest according to the preset shared key of the part field in this request message and Portal server and calculate a value, and and the value of the Authenticator field of Portal client compare, if identical, just think that message is legal, execution is mutual with BAS's, and the most backward Portal client is returned to the back message using that rolls off the production line; Otherwise just think and can simply abandon message mistake, and carry out the statistics to dropping packets.Above-mentioned processing procedure is the verification process of Portal server for Portal client.In order to complete this verification process, require Portal server and Portal client two ends need to configure identical preset shared key (Secret), and both sides adopt identical cryptographic algorithm (as the cryptographic algorithm of the MD5 describing in RFC1321), recipient is in order to verify the correctness of received message simultaneously, must adopt and the duplicate computational process of transmit leg, predetermined field is encrypted to calculating.
There is the safety problem of go-between's Replay Attack in the Portal client of the prior art implementation that rolls off the production line.If the person that has man-in-the-middle attack between Portal client and Portal server, certain initiatively rolling off the production line after request message once that it listens to that Portal client sends to Portal server, preserves this message.When this Portal client is again by authentication, when normally reaching the standard grade, man-in-the-middle attack person to Portal server this message of resetting, will cause Portal server that this Portal client is played and rolled off the production line suddenly.If man-in-the-middle attack person has preserved the request message that initiatively rolls off the production line of a large amount of different Portal clients of Portal client, and irregularly deliberately reset, will cause occurring the improper situation about going offline of a large amount of Portal clients, and then can also derive other attack, as: Session Hijack, between main frame, trusting relationship is stolen etc.
Summary of the invention
Technical problem to be solved by this invention be to provide a kind of between Portal server and Portal client the method and apparatus of anti-replay-attack, the Replay Attack of the request message that effectively prevents from rolling off the production line, the fail safe that improves Portal Verification System.
For solving the problems of the technologies described above, the invention provides scheme as follows:
A method for anti-replay-attack between Portal server and Portal client, comprising:
Steps A, Portal server receives the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;
Step B, in the mapping table that Portal server is preserved in this locality, search second user's sequence number corresponding to a described IP address, and judge that whether first, second user's sequence number is identical: if so, enter step C, otherwise described in abandoning, roll off the production line request message process ends; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;
Step C, Portal server is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message process ends roll off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.
Preferably, in said method, also comprise:
Described Portal server is reached the standard grade after authentication passes through in each Portal client, is each Portal client distributing user sequence number, and distributed user's sequence number is carried to authentication sends to corresponding Portal client in back message using.
Preferably, in said method,
Describedly for each Portal client distributing user sequence number be:
For arbitrary Portal client, in predetermined numerical space, select at random a numerical value, as user's sequence number of this Portal client; Or, reach the standard grade and authenticate the sequencing passing through according to each Portal client, the numerical value in predetermined numerical space is distributed to each Portal client in turn, as user's sequence number of each Portal client.
Preferably, in said method, in described step C, after the authentication of rolling off the production line that judges a described Portal client is passed through, described Portal server is further deleted the corresponding relation between a described IP address and the described second user's sequence number of preserving in described mapping table.
The present invention also provides the method for another kind anti-replay-attack between Portal server and Portal client, comprising:
The one Portal client is in the time that needs roll off the production line, send to Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include an IP address and the first user sequence number of the first authenticator, a Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is less than predetermined value; Described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number;
Wherein, the described first user sequence number rolling off the production line in request message is for offering described Portal server and second user's sequence number compares, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,
Described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
Preferably, in said method, before the request message that rolls off the production line described in sending, described method also comprises:
The one Portal client sends to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.
The invention provides a kind of Portal server, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;
The first judging unit, searches second user's sequence number corresponding to a described IP address for the mapping table of preserving in this locality, and judges that whether first, second user's sequence number is identical: if so, trigger the second judging unit; Otherwise request message rolls off the production line described in abandoning; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;
The second judging unit, according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.
Preferably, in above-mentioned Portal server, also comprise:
Serial number assignment unit, after passing through, is each Portal client distributing user sequence number, and distributed user's sequence number is carried in authentication back message using and sends to corresponding Portal client for the authentication of reaching the standard grade in each Portal client.
Preferably, in above-mentioned Portal server,
A numerical value also, for for arbitrary Portal client, is selected at random, as user's sequence number of this Portal client in described serial number assignment unit in predetermined numerical space; Or the sequencing passing through for the authentication of reaching the standard grade according to each Portal client, distributes to each Portal client by the numerical value in predetermined numerical space, in turn as user's sequence number of each Portal client.
The present invention also provides a kind of Portal client, comprising:
Processing unit rolls off the production line, for in the time that this Portal client need to roll off the production line, send to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include the first authenticator, the one IP address and the first user sequence number of the one Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is less than predetermined value, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number,
Wherein, the described first user sequence number rolling off the production line in request message is for comparing for described Portal server and second user's sequence number, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,
Described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
Preferably, in above-mentioned Portal client, also comprise:
The processing unit of reaching the standard grade, for send to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.
The present invention also provide a kind of between Portal server and Portal client the method for anti-replay-attack, comprising:
Step 1, Portal server receives the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;
Step 2, Portal server judges that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, enter step 3, otherwise described in abandoning, roll off the production line request message process ends; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;
Step 3, Portal server is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message process ends roll off the production line described in abandoning; Wherein, in described predetermined field, include described first sequence number that rolls off the production line.
Preferably, in said method, also comprise:
After the serial number request message for the sequence number of asking to roll off the production line that described Portal server receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.
The present invention provide again a kind of between Portal server and Portal client the method for anti-replay-attack, comprising:
The one Portal client is in the time that needs roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carrying described Portal server is the sequence number that rolls off the production line that a described Portal client is distributed, wherein, the distribution of the described sequence number that rolls off the production line is described Portal server according to the sequencing that receives the serial number request message that each Portal client sends, for each Portal client is distributed in turn;
The one Portal client sends to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;
Wherein, described first in the request message that roll off the production line rolls off the production line sequence number within judging whether the sliding window scope of the anti-replay of safeguarding in described Portal server for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;
Described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described the second authenticator, according to predetermined digest algorithm, preset shared key and described predetermined field carried out that digest calculations obtains.
The present invention also provides another kind of Portal server, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;
The first judging unit, for judging that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, trigger the second judging unit, otherwise the request message that rolls off the production line described in abandoning; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;
The second judging unit, be used for according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, in described predetermined field, include described first sequence number that rolls off the production line.
Preferably, in above-mentioned Portal server, also comprise:
Serial number assignment unit, for after the serial number request message for the sequence number of asking to roll off the production line that receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.
The present invention also provides another kind of Portal client, comprising:
Serial number request unit, for in the time that this Portal client need to roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carrying described Portal server is the sequence number that rolls off the production line that a described Portal client is distributed, wherein, the distribution of the described sequence number that rolls off the production line is the sequencing that described Portal server basis receives the serial number request message of each Portal client transmission, for each Portal client is distributed in turn,
Processing unit rolls off the production line, for sending to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;
Wherein, described first in the request message that the roll off the production line sequence number that rolls off the production line first rolls off the production line sequence number whether within the sliding window scope in the local anti-replay arranging of described Portal server for judge this for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;
Described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described the second authenticator, according to predetermined digest algorithm, preset shared key and described predetermined field carried out that digest calculations obtains.
Can find out from the above, provided by the invention between Portal server and Portal client the method and apparatus of anti-replay-attack, be that client is distributed corresponding sequence number (as user's sequence number or the sequence number that rolls off the production line) by Portal client, and in verification process, utilize this sequence number to detect playback message rolling off the production line, thereby the Replay Attack of the request message that can effectively prevent from rolling off the production line, the fail safe that improves Portal Verification System.
Accompanying drawing explanation
Fig. 1 is that the Portal client of prior art initiatively requires the schematic flow sheet rolling off the production line;
Fig. 2 is the schematic flow sheet of the method for anti-replay-attack described in the embodiment of the present invention 1;
Fig. 3 is the form schematic diagram of portal protocol message;
Fig. 4 is the structural representation of Portal server described in the embodiment of the present invention 1;
Fig. 5 is the structural representation of Portal client described in the embodiment of the present invention 1;
Fig. 6 is the schematic flow sheet of the method for anti-replay-attack described in the embodiment of the present invention 2;
Fig. 7 is the structural representation of Portal server described in the embodiment of the present invention 2;
Fig. 8 is the structural representation of Portal client described in the embodiment of the present invention 2.
Embodiment
In prior art, exist the reason of go-between's Replay Attack safety problem to be, the Portal server in prior art scheme is mainly to have verified this credibility rolling off the production line in request message.In other words, checking be the part specific field of request message of rolling off the production line, the trusted relationships between preset shared key and this three of authentication code (Authenticator) field of rolling off the production line in request message.Be merely able to the credibility of the request message that guarantees this according to the verification process of this relation, if this message victim was distorted, can detect.But, can not verify and that is to say starting property of this request message, can not distinguish this request message and whether repeat to send.
Main thought of the present invention is, in the proof procedure at Portal server for Portal client, by the credible factor of introducing and this Portal User is associated, to solve the safety problem that go-between's Replay Attack causes.Below with reference to accompanying drawing, by specific embodiment, the present invention is further illustrated.
< embodiment 1>
In the present embodiment, Portal server is user's sequence number of this Portal client distribution after arbitrary Portal client is reached the standard grade, and for same Portal client, Portal server guarantees that this Portal client is assigned to different user's sequence numbers at every turn after reaching the standard grade as far as possible, and Portal server is preserved the corresponding relation between user's sequence number and the IP address of each online Portal client in this locality, and then receiving the rolling off the production line after request message of Portal client, the user's sequence number carrying in the corresponding relation of preserving according to this locality and the request message that rolls off the production line, verify starting property of this message.
As shown in Figure 2, the method for anti-replay-attack between Portal server and Portal client that the present embodiment provides, comprises the following steps:
Step 21, Portal client, in the time that needs are reached the standard grade, sends to Portal server the request message (login_request) of reaching the standard grade, Portal server is after the authentication of reaching the standard grade of this Portal client is passed through, for this Portal client distributing IP address and user's sequence number, and return to one to this Portal client and be used to indicate the back message using of reaching the standard grade (login_response) that passes through of authentication, this back message using of reaching the standard grade comprises a field (as self-defining USER_SEQNUM field), this field carries distributes to this Portal client, be used for user's sequence number of this Portal client of unique identification, simultaneously, Portal server is also at mapping table of local maintenance, in this mapping table, preserve the corresponding relation between IP address and the user's sequence number that distributes this Portal client.Portal client is to reaching the standard grade after back message using, and therefrom extracting Portal server is IP address and user's sequence number of its distribution, and after this Portal client can be used this access the Internet, IP address.
Here, Portal server, in the time being Portal client distributing user sequence number, need to guarantee that Portal client is assigned to same user's sequence number at homogeneous not probability after reaching the standard grade is not more than predetermined value, and the concrete method of salary distribution can be:
1), in the numerical space of a pre-sizing (being assumed to be N), choose at random a numerical value, as user's sequence number of Portal client.Under this method of salary distribution, suppose that Portal client is assigned to user's sequence number 1 after reaching the standard grade for the 1st time, the probability that is still assigned to user's sequence number 1 after reaching the standard grade for the 2nd time is 1/N.As long as N is enough large, just can guarantee that Portal client is assigned to same user's sequence number at homogeneous not probability after reaching the standard grade is enough little.For example,, when N gets 2 32or 2 64time, can meet the demand of the anti-replay-attack in actual use.
2) reach the standard grade and authenticate the sequencing passing through according to each Portal client, the numerical value in predetermined numerical space (being assumed to be N) is distributed to each Portal client in turn, as user's sequence number of each Portal client.In this case, suppose that Portal client is assigned to user's sequence number 1 after reaching the standard grade for the 1st time, the probability that is still assigned to user's sequence number 1 after reaching the standard grade for the 2nd time is less than 1/N.
Here, distributing in turn can be to increase progressively in turn distribution, as the sequencing that passes through of authentication of reaching the standard grade of Portal client is: Portal client 1, Portal client 2, Portal client 3 ..., be so Portal client 1, Portal client 2, Portal client 3 ... user's sequence number of distribution respectively: n, n+1, n+2 ....Reach the upper of numerical space at the user's sequence number distributing and prescribe a time limit, continue to start to loop distribution from the lower limit of numerical space.
Distributing in turn can also be the distribution of successively decreasing in turn, now for above-mentioned Portal client 1, Portal client 2, Portal client 3 ... user's sequence number of distribution respectively: n, n-1, n-2 ....Reach the lower of numerical space at the user's sequence number distributing and prescribe a time limit, continue to start to loop distribution from the upper limit of numerical space.
In following table 1, illustrated mapping table that Portal server safeguards in the content that may comprise.Wherein user's sequence number of every row and IP address are exactly user's sequence number and the IP address that Portal server distributes for certain client.
ID User's sequence number Time started IP address MAC Address NAS_IP
40032 2 2009-7-10 15:49:05 1.1.1.101 00:31:00:00:00:01 85.1.1.1
40033 3 2009-7-10 15:49:06 1.1.1.102 00:31:00:00:00:02 85.1.1.1
40034 4 2009-7-10 15:49:07 1.1.1.103 00:31:00:00:00:03 85.1.1.1
40035 5 2009-7-10 15:49:08 1.1.1.104 00:31:00:00:00:04 85.1.1.1
Table 1
From hereinafter can finding out of the present embodiment, in the present embodiment, Portal server inspection be to distribute to the corresponding relation between IP address and user's sequence number of this Portal client by Portal server.And some clients are in the upper line process of homogeneous not, the probability that is just assigned to identical IP address and identical user's sequence number is lower, with 2 64user's sequence number numerical value space of size is example, and this probability is: 1/m*2 64, wherein suppose that m is that allocatable space and the IP address of IP address is also Random assignment.This probability is extremely small, enough the anti-replay demand in current actual use.If need stronger safety assurance, can consider further to increase the size in user's sequence number numerical value space; Can also periodically between Portal client and Portal server, carry out the renewal of preset shared key.
Step 22, suppose certain Portal client, as a Portal client need to roll off the production line, the one Portal client will send the request message that rolls off the production line to Portal server, in the described request message that rolls off the production line, include the first authenticator, the one IP address of described first user sequence number and a Portal client, wherein, described the first authenticator is that a Portal client is according to predetermined digest algorithm, the described predetermined field rolling off the production line in request message and local preset shared key of preserving are carried out to digest calculations obtains, described predetermined field includes described first user sequence number.
Here, the described first user sequence number rolling off the production line in request message is for offering described Portal server and second user's sequence number compares, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value.In the time that first, second user's sequence number is identical, described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
Here, a Portal client need to, according to predetermined digest algorithm (as MD5), be carried out digest calculations to the predetermined field and the preset shared key that roll off the production line in request message.The request message that rolls off the production line is a kind of portal protocol message, and the form of portal protocol message as shown in Figure 3.In the present embodiment, comprise for the described predetermined field of carrying out digest calculations: 0 and Attributes field of Ver field, the type field, PAP/CHAP field, Rsvd field, SerialNo field, ReqID field, UserIP field, UserPort field, ErrCode field, AttrNum field, 16 bytes, the first authenticator calculating is carried at authentication code (Authenticator) field in authentication request packet.Wherein, first user sequence number is included in the sub-attribute field USER_SEQNUM in Attributes field.
Step 23, Portal server receives for the above-mentioned of a Portal client and rolls off the production line after request message, from this message, extract an IP address and the first user sequence number of a Portal client, and search second user's sequence number corresponding to a described IP address in the mapping table of preserving in this locality, and judge that whether described second user's sequence number is identical with described first user sequence number: if, enter step 24, otherwise enter step 26;
Step 24, Portal server is according to predetermined digest algorithm, the described described predetermined field rolling off the production line in request message and local preset shared key of preserving are carried out to digest calculations, obtain the second authenticator, and whether the first authenticator carrying in the request message that rolls off the production line described in judgement is identical with described the second authenticator: if so, enter step 25; Otherwise enter step 26.
Here, the preset shared key that server and client side preserves is separately identical, and the synchronous method of shared key is same as the prior art.
Step 25, Portal server judge a described Portal client roll off the production line authentication pass through.After the authentication of rolling off the production line of a described Portal client is passed through, Portal server is by according to the identical processing mode of prior art, the relevant information that continuation and the mutual Portal client-requested of BAS roll off the production line, and receive that BAS returns to answering after message, return to a Portal client back message using that rolls off the production line, be used to indicate and roll off the production line successfully.The one Portal client receives that this rolls off the production line after back message using, thinks and oneself successfully rolls off the production line.
Step 26, Portal server judges the authentification failure that rolls off the production line of a described Portal client, request message process ends roll off the production line described in now directly abandoning.
Can find out from above flow process, user's sequence number that in the present embodiment, Portal client is assigned at every turn after reaching the standard grade conventionally can be not identical, and the factor of Portal client using user's sequence number as MD5 digest computing, also includes the information of user's sequence number in the request message that makes to roll off the production line.Like this, when go-between assailant intercepts certain request message that rolls off the production line once that Portal client sends to Portal server, and this request message that rolls off the production line of resetting after this Portal client is reached the standard grade is again while attacking, because the current user's sequence number being assigned with of this user's sequence number rolling off the production line in request message and this Portal client is different, therefore can to judge this request message that rolls off the production line be a playback message to Portal server, so this message is carried out to discard processing, makes assailant's attack failure.The user sequence number that Portal server distributes while reaching the standard grade even if assailant has intercepted and captured Portal client the last time, and what use this user's sequence number to substitute to reset rolls off the production line when corresponding field in request message, Portal server still can detect by above-mentioned steps 24, therefore Portal server is in the time carrying out MD5 computing according to roll off the production line predetermined field (this predetermined field comprises user's sequence number) in request message and preset shared key, can find that operation result is different from the authenticator carrying in this request message that rolls off the production line, therefore judge that this request message that rolls off the production line has occurred to distort, so still this is rolled off the production line, request message abandons.
The present embodiment also provides the equipment of the method for implementing above-mentioned anti-replay-attack, specifically comprises Portal server and Portal client.
Wherein, as shown in Figure 4, the Portal server that the present embodiment provides, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;
The first judging unit, searches second user's sequence number corresponding to a described IP address for the mapping table of preserving in this locality, and judges that whether described second user's sequence number is identical with described first user sequence number: if so, trigger the second judging unit; Otherwise request message rolls off the production line described in abandoning; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;
The second judging unit, according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.
Preferably, Portal server shown in Fig. 4 also comprises: serial number assignment unit, after passing through for the authentication of reaching the standard grade in each Portal client, for each Portal client distributing user sequence number, and distributed user's sequence number is carried in authentication back message using and sends to corresponding Portal client.Concrete, a numerical value also, for for arbitrary Portal client, is selected at random, as user's sequence number of this Portal client in described serial number assignment unit in predetermined numerical space; Or the sequencing passing through for the authentication of reaching the standard grade according to each Portal client, distributes to each Portal client by the numerical value in predetermined numerical space, in turn as user's sequence number of each Portal client.
As shown in Figure 5, the Portal client that the present embodiment provides, comprising:
Processing unit rolls off the production line, for in the time that this Portal client need to roll off the production line, send to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include an IP address and the first user sequence number of the first authenticator, a Portal client, wherein, described first user sequence number is that described Portal server is the sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is less than predetermined value; Described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number;
Wherein, the described first user sequence number rolling off the production line in request message is for offering described Portal server and second user's sequence number compares, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,
In the time that first, second user's sequence number is identical, described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
Preferably, the Portal client shown in Fig. 5, also comprises:
The processing unit of reaching the standard grade, for send to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.
< embodiment 2>
In the present embodiment, Portal client is in the time rolling off the production line, need first to sequence number that rolls off the production line of Portal server request, this sequence number that rolls off the production line is to distribute in turn each Portal client, that is, and and according to the order that rolls off the production line of each Portal client, sequence number in turn that distribute increases progressively or successively decreases in turn, and Portal server is the sliding window for anti-replay in local maintenance one also, utilize this sliding window to detect starting property of the request message that rolls off the production line.
As shown in Figure 6, the method for anti-replay-attack between Portal server and Portal client that the present embodiment provides, comprises the following steps:
Step 61, Portal client, in the time that needs roll off the production line, first sends a serial number request message for the sequence number of asking to roll off the production line to Portal server;
Step 62, after the serial number request message for the sequence number of asking to roll off the production line that Portal server receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn, and to each Portal client back message using that transmits Sequence Number respectively, in described sequence number back message using, carry the sequence number that rolls off the production line of distributing to corresponding Portal client.Like this, each Portal client that need to roll off the production line just can from sequence number back message using, extract Portal server be oneself distribute the sequence number that rolls off the production line.
Here, distributing in turn can be to increase progressively in turn distribution, as the sequencing that receives the good request message of sequence number of each Portal client is: Portal client 1, Portal client 2, Portal client 3 ..., be so Portal client 1, Portal client 2, Portal client 3 ... distribution roll off the production line sequence number respectively: n, n+1, n+2 ....The upper of numerical space that reaches pre-sizing at the sequence number that rolls off the production line distributing prescribed a time limit, and continues to start to loop distribution from the lower limit of numerical space.Here n is an integer.
Distributing in turn can also be the distribution of successively decreasing in turn, now for above-mentioned Portal client 1, Portal client 2, Portal client 3 ... distribution roll off the production line sequence number respectively: n, n-1, n-2 ....The lower of numerical space that reaches pre-sizing at the sequence number that rolls off the production line distributing prescribed a time limit, and continues to start to loop distribution from the upper limit of numerical space.
The size of above-mentioned numerical space can, according to actual application environment, be chosen as the number of Portal client terminal quantity, for example, get 2 32or 2 64conventionally can meet the demand of the anti-replay-attack in actual use.The present embodiment not concrete size in logarithm value space limits, even if this numerical space is less, according to the processing mode of the present embodiment, also can on certain probability, judge the message of Replay Attack, thus the Replay Attack of the request message that prevents to a certain extent rolling off the production line.
Step 63, the arbitrary Portal client (being assumed to be a Portal client) rolling off the production line take needs describes as example, the one Portal client rolls off the production line after back message using receiving, extract the sequence number that rolls off the production line (be assumed to be first roll off the production line sequence number) wherein carrying, then send to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include the first authenticator, the described first IP address of rolling off the production line sequence number and a Portal client, wherein, described the first authenticator is according to predetermined digest algorithm, the preset shared key that this locality is preserved and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line.
Here, described first in the request message that the roll off the production line sequence number that rolls off the production line first rolls off the production line within the sliding window scope of the anti-replay whether sequence number safeguard in described Portal server for judge this for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;
Roll off the production line sequence number within described sliding window scope time described first, described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described the second authenticator, according to predetermined digest algorithm, preset shared key and described predetermined field carried out that digest calculations obtains.
Step 64, Portal server receives described in a Portal client and rolls off the production line after request message, the first authenticator rolling off the production line described in extraction in request message, the first IP address of rolling off the production line sequence number and a Portal client, then judge that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance, to be respectively that described Portal server is current dispense at the two ends of described sliding window, and the maximum and the reckling that roll off the production line in sequence number of the Portal client not yet authenticating by rolling off the production line: if, enter step 65, otherwise enter step 67.
Step 65, Portal server is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator identical: if so, enter step 66; Otherwise enter step 67.
Step 66, Portal server judge a described Portal client roll off the production line authentication pass through.After the authentication of rolling off the production line of a described Portal client is passed through, Portal server will slide accordingly to described sliding window, make the two ends of sliding window be respectively the maximum and the reckling that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of Portal server.After the authentication of rolling off the production line of a described Portal client is passed through, Portal server is also by according to the handling process of prior art, the relevant information that continuation and the mutual Portal client-requested of BAS roll off the production line, and receiving after the response message that BAS returns, return and be used to indicate the back message using that successfully rolls off the production line that rolls off the production line to a Portal client, the one Portal client receives that this rolls off the production line after back message using, thinks and oneself successfully rolls off the production line.
Here, after the authentication of rolling off the production line of a Portal client is passed through, Portal server may need described sliding window to carry out suitable sliding transfer, so that its two ends are corresponding with the maximum and the reckling that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line respectively.
Step 67, Portal server judges the authentification failure that rolls off the production line of a described Portal client, request message process ends roll off the production line described in now directly abandoning.
Can find out from above flow process, the roll off the production line sliding window of sequence number of the present embodiment utilization is verified starting property of message, with the Replay Attack of the request message that prevents from rolling off the production line.When utilizing the request message that rolls off the production line of certain Portal client of previous intercepting and capturing, assailant initiates Replay Attack; because the sequence number that rolls off the production line rolling off the production line in request message of resetting conventionally can be outside sliding window; to cause this request message that rolls off the production line to be dropped, attack proves an abortion.Even if it is the last sequence number that rolls off the production line distributing of Portal client that assailant has intercepted and captured Portal server, and use this sequence number that rolls off the production line to substitute the corresponding field rolling off the production line in request message of previously having intercepted and captured, Portal server still can detect by above-mentioned steps 65, therefore Portal server is in the time carrying out MD5 computing according to roll off the production line predetermined field (this predetermined field comprises the sequence number that rolls off the production line) in request message and preset shared key, can find that operation result is different from the authenticator carrying in this request message that rolls off the production line, therefore judge that this request message that rolls off the production line has occurred to distort, so still this is rolled off the production line, request message abandons.
The present embodiment also provides the equipment of the method for implementing above-mentioned anti-replay-attack, specifically comprises Portal server and Portal client.
Wherein, as shown in Figure 7, the Portal server that the present embodiment provides, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;
The first judging unit, for judging that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, trigger the second judging unit, otherwise the request message that rolls off the production line described in abandoning; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;
The second judging unit, be used for according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, in described predetermined field, include described first sequence number that rolls off the production line.
Preferably, Portal server shown in Fig. 7, also comprise: serial number assignment unit, for after the serial number request message for the sequence number of asking to roll off the production line that receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.
Wherein, as shown in Figure 8, the Portal client that the present embodiment provides, comprising:
Serial number request unit, for in the time that this Portal client need to roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carrying described Portal server is the sequence number that rolls off the production line that a described Portal client is distributed, wherein, the distribution of the described sequence number that rolls off the production line is the sequencing that described Portal server basis receives the serial number request message of each Portal client transmission, for each Portal client is distributed in turn,
Processing unit rolls off the production line, for sending to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;
Wherein, described first in the request message that the roll off the production line sequence number that rolls off the production line first rolls off the production line sequence number whether within the sliding window scope in the local anti-replay arranging of described Portal server for judge this for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server.
Roll off the production line sequence number within described sliding window scope time described first, described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described the second authenticator, according to predetermined digest algorithm, preset shared key and described predetermined field carried out that digest calculations obtains.
In sum, in the method and apparatus of the anti-replay-attack that the embodiment of the present invention provides, Portal client is that client is distributed corresponding sequence number (as user's sequence number or the sequence number that rolls off the production line), and in verification process, utilize this sequence number to detect playback message rolling off the production line, thereby the Replay Attack of the request message that can effectively prevent from rolling off the production line, the fail safe that improves Portal Verification System.
The above is only embodiments of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (16)

1. a method that prevents Replay Attack between Portal server and Portal client of being carried out by Portal server, is characterized in that, comprising:
Steps A, Portal server receives the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;
Step B, in the mapping table that Portal server is preserved in this locality, search second user's sequence number corresponding to a described IP address, and judge that whether first, second user's sequence number is identical: if so, enter step C, otherwise described in abandoning, roll off the production line request message process ends; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;
Step C, Portal server is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message process ends roll off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.
2. the method for claim 1, is characterized in that, also comprises:
Described Portal server is reached the standard grade after authentication passes through in each Portal client, is each Portal client distributing user sequence number, and distributed user's sequence number is carried to authentication sends to corresponding Portal client in back message using.
3. method as claimed in claim 2, is characterized in that,
Describedly for each Portal client distributing user sequence number be:
For arbitrary Portal client, in predetermined numerical space, select at random a numerical value, as user's sequence number of this Portal client; Or, reach the standard grade and authenticate the sequencing passing through according to each Portal client, the numerical value in predetermined numerical space is distributed to each Portal client in turn, as user's sequence number of each Portal client.
4. method as claimed in claim 2, it is characterized in that, in described step C, after the authentication of rolling off the production line that judges a described Portal client is passed through, described Portal server is further deleted the corresponding relation between a described IP address and the described second user's sequence number of preserving in described mapping table.
5. by a method that prevents Replay Attack between Portal server and Portal client for Portal client executing, it is characterized in that, comprising:
The one Portal client is in the time that needs roll off the production line, send to Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include an IP address and the first user sequence number of the first authenticator, a Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is not more than predetermined value; Described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number;
Wherein, the described first user sequence number rolling off the production line in request message is for offering described Portal server and second user's sequence number compares, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,
Described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
6. method as claimed in claim 5, is characterized in that, before the request message that rolls off the production line described in sending, described method also comprises:
The one Portal client sends to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.
7. a Portal server, is characterized in that, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;
The first judging unit, searches second user's sequence number corresponding to a described IP address for the mapping table of preserving in this locality, and judges that whether first, second user's sequence number is identical: if so, trigger the second judging unit; Otherwise request message rolls off the production line described in abandoning; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;
The second judging unit, according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.
8. Portal server as claimed in claim 7, is characterized in that, also comprises:
Serial number assignment unit, after passing through, is each Portal client distributing user sequence number, and distributed user's sequence number is carried in authentication back message using and sends to corresponding Portal client for the authentication of reaching the standard grade in each Portal client.
9. Portal server as claimed in claim 8, is characterized in that,
A numerical value also, for for arbitrary Portal client, is selected at random, as user's sequence number of this Portal client in described serial number assignment unit in predetermined numerical space; Or the sequencing passing through for the authentication of reaching the standard grade according to each Portal client, distributes to each Portal client by the numerical value in predetermined numerical space, in turn as user's sequence number of each Portal client.
10. a Portal client, is characterized in that, comprising:
Processing unit rolls off the production line, for in the time that this Portal client need to roll off the production line, send to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include the first authenticator, the one IP address and the first user sequence number of the one Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is not more than predetermined value, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number,
Wherein, the described first user sequence number rolling off the production line in request message is for comparing for described Portal server and second user's sequence number, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,
Described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
11. Portal clients as claimed in claim 10, is characterized in that, also comprise:
The processing unit of reaching the standard grade, for send to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.
The method of 12. 1 kinds of anti-replay-attacks between Portal server and Portal client, is characterized in that, comprising:
Step 1, Portal server receives the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;
Step 2, Portal server judges that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, enter step 3, otherwise described in abandoning, roll off the production line request message process ends; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;
Step 3, Portal server is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message process ends roll off the production line described in abandoning; Wherein, in described predetermined field, include described first sequence number that rolls off the production line.
The method of 13. 1 kinds of anti-replay-attacks between Portal server and Portal client, is characterized in that, comprising:
The one Portal client is in the time that needs roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carry described Portal server and be a described Portal client distributes first sequence number that rolls off the production line, wherein, the distribution of the described sequence number that rolls off the production line is described Portal server according to the sequencing that receives the serial number request message that each Portal client sends, for each Portal client is distributed in turn;
The one Portal client sends to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;
Wherein, described first in the request message that roll off the production line rolls off the production line sequence number within judging whether the sliding window scope of the anti-replay of safeguarding in described Portal server for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;
Described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator is described Portal server described first while rolling off the production line within the sliding window scope of sequence number in described anti-replay, according to predetermined digest algorithm, preset shared key and described predetermined field is carried out that digest calculations obtains.
14. 1 kinds of Portal server, is characterized in that, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;
The first judging unit, for judging that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, trigger the second judging unit, otherwise the request message that rolls off the production line described in abandoning; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;
The second judging unit, be used for according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, in described predetermined field, include described first sequence number that rolls off the production line.
15. Portal server as claimed in claim 14, is characterized in that, also comprise:
Serial number assignment unit, for after the serial number request message for the sequence number of asking to roll off the production line that receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.
16. 1 kinds of Portal clients, is characterized in that, comprising:
Serial number request unit, for in the time that this Portal client need to roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carry described Portal server and be a described Portal client distributes first sequence number that rolls off the production line, wherein, the distribution of the described sequence number that rolls off the production line is the sequencing that described Portal server basis receives the serial number request message of each Portal client transmission, for each Portal client is distributed in turn,
Processing unit rolls off the production line, for sending to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;
Wherein, described first in the request message that the roll off the production line sequence number that rolls off the production line first rolls off the production line sequence number whether within the sliding window scope in the local anti-replay arranging of described Portal server for judge this for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;
Described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator is described Portal server described first while rolling off the production line within the sliding window scope of sequence number in described anti-replay, according to predetermined digest algorithm, preset shared key and described predetermined field is carried out that digest calculations obtains.
CN200910237527.5A 2009-11-11 2009-11-11 Method and device for preventing replay attack between portal server and client Expired - Fee Related CN102065067B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910237527.5A CN102065067B (en) 2009-11-11 2009-11-11 Method and device for preventing replay attack between portal server and client

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910237527.5A CN102065067B (en) 2009-11-11 2009-11-11 Method and device for preventing replay attack between portal server and client

Publications (2)

Publication Number Publication Date
CN102065067A CN102065067A (en) 2011-05-18
CN102065067B true CN102065067B (en) 2014-06-25

Family

ID=44000170

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910237527.5A Expired - Fee Related CN102065067B (en) 2009-11-11 2009-11-11 Method and device for preventing replay attack between portal server and client

Country Status (1)

Country Link
CN (1) CN102065067B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102684884B (en) * 2012-05-24 2016-08-03 杭州华三通信技术有限公司 A kind of Portal Web server and the method preventing from forging the request of rolling off the production line thereof
CN102761560B (en) * 2012-08-01 2015-01-14 飞天诚信科技股份有限公司 Method and system for verifying information integrity
CN102801733A (en) * 2012-08-28 2012-11-28 盛科网络(苏州)有限公司 Method for setting security authentication in precision time protocol (PTP)
CN102857521A (en) * 2012-10-12 2013-01-02 盛科网络(苏州)有限公司 Method and device for setting operation, administration and maintenance (OAM) security authentication
WO2014110775A1 (en) 2013-01-18 2014-07-24 Hewlett-Packard Development Company, L.P. Preventing a memory attack to a wireless access point
WO2014110774A1 (en) * 2013-01-18 2014-07-24 Hewlett-Packard Development Company, L.P. Preventing an input/output blocking attack to a wireless access point
CN103237020B (en) * 2013-04-07 2016-08-17 杭州华三通信技术有限公司 Avoid method and server, switch that state machine is hacked
CN104105125B (en) * 2013-04-15 2017-08-25 中国移动通信集团北京有限公司 A kind of method for processing business, apparatus and system
CN103441983A (en) * 2013-07-11 2013-12-11 盛科网络(苏州)有限公司 Information protection method and device based on link layer discovery protocol
CN103905452A (en) * 2014-04-03 2014-07-02 国家电网公司 Credible network attack filter device and method
CN105991359A (en) * 2015-02-06 2016-10-05 中兴通讯股份有限公司 Method and device for detecting repeated simulation messages
CN104917765A (en) * 2015-06-10 2015-09-16 杭州华三通信技术有限公司 Attack prevention method, and equipment
CN106789884A (en) * 2016-11-16 2017-05-31 上海斐讯数据通信技术有限公司 A kind of portal authentication method and system
CN106453408B (en) * 2016-11-21 2020-01-03 新华三技术有限公司 Method and device for preventing counterfeit offline attack
CN112671605B (en) * 2020-12-16 2023-07-11 建信金融科技有限责任公司 Test method and device and electronic equipment
CN112653699B (en) * 2020-12-22 2022-08-12 迈普通信技术股份有限公司 BFD authentication method and device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1416241A (en) * 2002-10-16 2003-05-07 华为技术有限公司 Authentication method for supporting network switching in based on different devices at same time
JP2004302869A (en) * 2003-03-31 2004-10-28 Fuji Xerox Co Ltd Access management server, network device, network system and access management method
CN101217567A (en) * 2008-01-08 2008-07-09 杭州华三通信技术有限公司 A webpage push method, system and device
CN101277308A (en) * 2008-05-23 2008-10-01 杭州华三通信技术有限公司 Method for insulating inside and outside networks, authentication server and access switch

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1416241A (en) * 2002-10-16 2003-05-07 华为技术有限公司 Authentication method for supporting network switching in based on different devices at same time
JP2004302869A (en) * 2003-03-31 2004-10-28 Fuji Xerox Co Ltd Access management server, network device, network system and access management method
CN101217567A (en) * 2008-01-08 2008-07-09 杭州华三通信技术有限公司 A webpage push method, system and device
CN101277308A (en) * 2008-05-23 2008-10-01 杭州华三通信技术有限公司 Method for insulating inside and outside networks, authentication server and access switch

Also Published As

Publication number Publication date
CN102065067A (en) 2011-05-18

Similar Documents

Publication Publication Date Title
CN102065067B (en) Method and device for preventing replay attack between portal server and client
US9942220B2 (en) Preventing unauthorized account access using compromised login credentials
CN105897782A (en) Method and device for treating call request of interface
CN101345743B (en) Method and system for preventing network attack by utilizing address analysis protocol
CN102572815B (en) Method, system and device for processing terminal application request
EP3346660A1 (en) Authentication information update method and device
CN109104475B (en) Connection recovery method, device and system
CN106453361B (en) A kind of security protection method and system of the network information
CN103338201B (en) The remote identity authentication method that under a kind of environment of multi-server, registration center participates in
CN109714370B (en) HTTP (hyper text transport protocol) -based cloud security communication implementation method
CN102647461A (en) Communication method, server and terminal based on HTTP (Hypertext Transfer Protocol)
CN104660605A (en) Multi-factor identity authentication method and system
CA2775900A1 (en) Systems and methods for authenticating users accessing unsecured wifi access points
CN101997685A (en) Single sign-on method, single sign-on system and associated equipment
CN104917727A (en) Account authentication method, system and apparatus
CN104243458A (en) Secure online game logging-in method and system
CN103236927B (en) A kind of authentication method based on dynamic ID mark and system
CN101715009A (en) Safe address allocation method, detecting device, detecting equipment and detecting system
CN101599967A (en) Authority control method and system based on the 802.1x Verification System
CN104410622A (en) Safety authentication method, client side and system for logging in Web system
US20100107234A1 (en) Methods for protecting against cookie-poisoning attacks in networked-communication applications
US20150350208A1 (en) Token server-based system and methodology providing user authentication and verification for online secured systems
CN102185871A (en) Method and equipment for processing messages
CN110943840B (en) Signature verification method
US20140330689A1 (en) System and Method for Verifying Online Banking Account Identity Using Real-Time Communication and Digital Certificate

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20140625

Termination date: 20191111