CN102065067B - Method and device for preventing replay attack between portal server and client - Google Patents
Method and device for preventing replay attack between portal server and client Download PDFInfo
- Publication number
- CN102065067B CN102065067B CN200910237527.5A CN200910237527A CN102065067B CN 102065067 B CN102065067 B CN 102065067B CN 200910237527 A CN200910237527 A CN 200910237527A CN 102065067 B CN102065067 B CN 102065067B
- Authority
- CN
- China
- Prior art keywords
- production line
- sequence number
- portal
- request message
- rolls
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method and device for preventing an replay attack between a portal server and a client. In the invention, the portal server is used for distributing the corresponding serial number, such as user serial number or downline serial number, for the client, and detecting a replay message by using the serial number in the downline authentication process, thereby effectively preventing the replay attack of the downline request message and enhancing the security of the portal authentication system.
Description
Technical field
The present invention relates to secure authentication technology field, be specifically related to the method and apparatus of one anti-replay-attack between door (Portal) Portal server and Portal client.
Background technology
Portal authenticates conventionally also referred to as web authentication, carries out user by webpage (Web) mode and authenticates.Generally Portal authentication website is called to portal website.Portal authentication protocol is mainly used in the broadband access authentication system based on WEB, the authentication and authorization of completing user.When unauthenticated user online, equipment force users signs in to particular station, and user can free access service wherein.In the time that user need to use the out of Memory in the Internet, must authenticate in portal website, only have authentication just can use Internet resources by rear user.
Whole Portal verification process has related to authentication Portal client (Portal Client), certificate server (Portal Server), BAS Broadband Access Server (BAS, Broad Access Server) and Certificate Authority and charging (AAA, Authentication Authorization Accounting) server.Authentication is main by the protocol interaction between Portal Server and BAS, agreement adopts non-proper client/server (Client/Server) structure, and most of message adopts request/response (Request/Response) mode to carry out alternately.
At present, the Portal client handling process that initiatively requirement is rolled off the production line as shown in Figure 1.In the process that initiatively requires to roll off the production line in Portal client, Portal client can send the request message (LOGOUT_REQUEST (0x66)) that rolls off the production line by former head's trend Portal server, wherein this authentication (Authenticator) field rolling off the production line in request message is this preset shared key that rolls off the production line part field in request message and Portal client to be carried out to Message-Digest Algorithm 5 (MD5, Message-Digest algorithm 5) digest calculations draw.When Portal server is received above-mentioned rolling off the production line after request message, will carry out MD5 digest according to the preset shared key of the part field in this request message and Portal server and calculate a value, and and the value of the Authenticator field of Portal client compare, if identical, just think that message is legal, execution is mutual with BAS's, and the most backward Portal client is returned to the back message using that rolls off the production line; Otherwise just think and can simply abandon message mistake, and carry out the statistics to dropping packets.Above-mentioned processing procedure is the verification process of Portal server for Portal client.In order to complete this verification process, require Portal server and Portal client two ends need to configure identical preset shared key (Secret), and both sides adopt identical cryptographic algorithm (as the cryptographic algorithm of the MD5 describing in RFC1321), recipient is in order to verify the correctness of received message simultaneously, must adopt and the duplicate computational process of transmit leg, predetermined field is encrypted to calculating.
There is the safety problem of go-between's Replay Attack in the Portal client of the prior art implementation that rolls off the production line.If the person that has man-in-the-middle attack between Portal client and Portal server, certain initiatively rolling off the production line after request message once that it listens to that Portal client sends to Portal server, preserves this message.When this Portal client is again by authentication, when normally reaching the standard grade, man-in-the-middle attack person to Portal server this message of resetting, will cause Portal server that this Portal client is played and rolled off the production line suddenly.If man-in-the-middle attack person has preserved the request message that initiatively rolls off the production line of a large amount of different Portal clients of Portal client, and irregularly deliberately reset, will cause occurring the improper situation about going offline of a large amount of Portal clients, and then can also derive other attack, as: Session Hijack, between main frame, trusting relationship is stolen etc.
Summary of the invention
Technical problem to be solved by this invention be to provide a kind of between Portal server and Portal client the method and apparatus of anti-replay-attack, the Replay Attack of the request message that effectively prevents from rolling off the production line, the fail safe that improves Portal Verification System.
For solving the problems of the technologies described above, the invention provides scheme as follows:
A method for anti-replay-attack between Portal server and Portal client, comprising:
Steps A, Portal server receives the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;
Step B, in the mapping table that Portal server is preserved in this locality, search second user's sequence number corresponding to a described IP address, and judge that whether first, second user's sequence number is identical: if so, enter step C, otherwise described in abandoning, roll off the production line request message process ends; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;
Step C, Portal server is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message process ends roll off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.
Preferably, in said method, also comprise:
Described Portal server is reached the standard grade after authentication passes through in each Portal client, is each Portal client distributing user sequence number, and distributed user's sequence number is carried to authentication sends to corresponding Portal client in back message using.
Preferably, in said method,
Describedly for each Portal client distributing user sequence number be:
For arbitrary Portal client, in predetermined numerical space, select at random a numerical value, as user's sequence number of this Portal client; Or, reach the standard grade and authenticate the sequencing passing through according to each Portal client, the numerical value in predetermined numerical space is distributed to each Portal client in turn, as user's sequence number of each Portal client.
Preferably, in said method, in described step C, after the authentication of rolling off the production line that judges a described Portal client is passed through, described Portal server is further deleted the corresponding relation between a described IP address and the described second user's sequence number of preserving in described mapping table.
The present invention also provides the method for another kind anti-replay-attack between Portal server and Portal client, comprising:
The one Portal client is in the time that needs roll off the production line, send to Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include an IP address and the first user sequence number of the first authenticator, a Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is less than predetermined value; Described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number;
Wherein, the described first user sequence number rolling off the production line in request message is for offering described Portal server and second user's sequence number compares, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,
Described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
Preferably, in said method, before the request message that rolls off the production line described in sending, described method also comprises:
The one Portal client sends to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.
The invention provides a kind of Portal server, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;
The first judging unit, searches second user's sequence number corresponding to a described IP address for the mapping table of preserving in this locality, and judges that whether first, second user's sequence number is identical: if so, trigger the second judging unit; Otherwise request message rolls off the production line described in abandoning; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;
The second judging unit, according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.
Preferably, in above-mentioned Portal server, also comprise:
Serial number assignment unit, after passing through, is each Portal client distributing user sequence number, and distributed user's sequence number is carried in authentication back message using and sends to corresponding Portal client for the authentication of reaching the standard grade in each Portal client.
Preferably, in above-mentioned Portal server,
A numerical value also, for for arbitrary Portal client, is selected at random, as user's sequence number of this Portal client in described serial number assignment unit in predetermined numerical space; Or the sequencing passing through for the authentication of reaching the standard grade according to each Portal client, distributes to each Portal client by the numerical value in predetermined numerical space, in turn as user's sequence number of each Portal client.
The present invention also provides a kind of Portal client, comprising:
Processing unit rolls off the production line, for in the time that this Portal client need to roll off the production line, send to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include the first authenticator, the one IP address and the first user sequence number of the one Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is less than predetermined value, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number,
Wherein, the described first user sequence number rolling off the production line in request message is for comparing for described Portal server and second user's sequence number, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,
Described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
Preferably, in above-mentioned Portal client, also comprise:
The processing unit of reaching the standard grade, for send to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.
The present invention also provide a kind of between Portal server and Portal client the method for anti-replay-attack, comprising:
Step 1, Portal server receives the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;
Step 2, Portal server judges that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, enter step 3, otherwise described in abandoning, roll off the production line request message process ends; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;
Preferably, in said method, also comprise:
After the serial number request message for the sequence number of asking to roll off the production line that described Portal server receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.
The present invention provide again a kind of between Portal server and Portal client the method for anti-replay-attack, comprising:
The one Portal client is in the time that needs roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carrying described Portal server is the sequence number that rolls off the production line that a described Portal client is distributed, wherein, the distribution of the described sequence number that rolls off the production line is described Portal server according to the sequencing that receives the serial number request message that each Portal client sends, for each Portal client is distributed in turn;
The one Portal client sends to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;
Wherein, described first in the request message that roll off the production line rolls off the production line sequence number within judging whether the sliding window scope of the anti-replay of safeguarding in described Portal server for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;
Described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described the second authenticator, according to predetermined digest algorithm, preset shared key and described predetermined field carried out that digest calculations obtains.
The present invention also provides another kind of Portal server, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;
The first judging unit, for judging that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, trigger the second judging unit, otherwise the request message that rolls off the production line described in abandoning; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;
The second judging unit, be used for according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, in described predetermined field, include described first sequence number that rolls off the production line.
Preferably, in above-mentioned Portal server, also comprise:
Serial number assignment unit, for after the serial number request message for the sequence number of asking to roll off the production line that receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.
The present invention also provides another kind of Portal client, comprising:
Serial number request unit, for in the time that this Portal client need to roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carrying described Portal server is the sequence number that rolls off the production line that a described Portal client is distributed, wherein, the distribution of the described sequence number that rolls off the production line is the sequencing that described Portal server basis receives the serial number request message of each Portal client transmission, for each Portal client is distributed in turn,
Processing unit rolls off the production line, for sending to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;
Wherein, described first in the request message that the roll off the production line sequence number that rolls off the production line first rolls off the production line sequence number whether within the sliding window scope in the local anti-replay arranging of described Portal server for judge this for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;
Described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described the second authenticator, according to predetermined digest algorithm, preset shared key and described predetermined field carried out that digest calculations obtains.
Can find out from the above, provided by the invention between Portal server and Portal client the method and apparatus of anti-replay-attack, be that client is distributed corresponding sequence number (as user's sequence number or the sequence number that rolls off the production line) by Portal client, and in verification process, utilize this sequence number to detect playback message rolling off the production line, thereby the Replay Attack of the request message that can effectively prevent from rolling off the production line, the fail safe that improves Portal Verification System.
Accompanying drawing explanation
Fig. 1 is that the Portal client of prior art initiatively requires the schematic flow sheet rolling off the production line;
Fig. 2 is the schematic flow sheet of the method for anti-replay-attack described in the embodiment of the present invention 1;
Fig. 3 is the form schematic diagram of portal protocol message;
Fig. 4 is the structural representation of Portal server described in the embodiment of the present invention 1;
Fig. 5 is the structural representation of Portal client described in the embodiment of the present invention 1;
Fig. 6 is the schematic flow sheet of the method for anti-replay-attack described in the embodiment of the present invention 2;
Fig. 7 is the structural representation of Portal server described in the embodiment of the present invention 2;
Fig. 8 is the structural representation of Portal client described in the embodiment of the present invention 2.
Embodiment
In prior art, exist the reason of go-between's Replay Attack safety problem to be, the Portal server in prior art scheme is mainly to have verified this credibility rolling off the production line in request message.In other words, checking be the part specific field of request message of rolling off the production line, the trusted relationships between preset shared key and this three of authentication code (Authenticator) field of rolling off the production line in request message.Be merely able to the credibility of the request message that guarantees this according to the verification process of this relation, if this message victim was distorted, can detect.But, can not verify and that is to say starting property of this request message, can not distinguish this request message and whether repeat to send.
Main thought of the present invention is, in the proof procedure at Portal server for Portal client, by the credible factor of introducing and this Portal User is associated, to solve the safety problem that go-between's Replay Attack causes.Below with reference to accompanying drawing, by specific embodiment, the present invention is further illustrated.
< embodiment 1>
In the present embodiment, Portal server is user's sequence number of this Portal client distribution after arbitrary Portal client is reached the standard grade, and for same Portal client, Portal server guarantees that this Portal client is assigned to different user's sequence numbers at every turn after reaching the standard grade as far as possible, and Portal server is preserved the corresponding relation between user's sequence number and the IP address of each online Portal client in this locality, and then receiving the rolling off the production line after request message of Portal client, the user's sequence number carrying in the corresponding relation of preserving according to this locality and the request message that rolls off the production line, verify starting property of this message.
As shown in Figure 2, the method for anti-replay-attack between Portal server and Portal client that the present embodiment provides, comprises the following steps:
Here, Portal server, in the time being Portal client distributing user sequence number, need to guarantee that Portal client is assigned to same user's sequence number at homogeneous not probability after reaching the standard grade is not more than predetermined value, and the concrete method of salary distribution can be:
1), in the numerical space of a pre-sizing (being assumed to be N), choose at random a numerical value, as user's sequence number of Portal client.Under this method of salary distribution, suppose that Portal client is assigned to user's sequence number 1 after reaching the standard grade for the 1st time, the probability that is still assigned to user's sequence number 1 after reaching the standard grade for the 2nd time is 1/N.As long as N is enough large, just can guarantee that Portal client is assigned to same user's sequence number at homogeneous not probability after reaching the standard grade is enough little.For example,, when N gets 2
32or 2
64time, can meet the demand of the anti-replay-attack in actual use.
2) reach the standard grade and authenticate the sequencing passing through according to each Portal client, the numerical value in predetermined numerical space (being assumed to be N) is distributed to each Portal client in turn, as user's sequence number of each Portal client.In this case, suppose that Portal client is assigned to user's sequence number 1 after reaching the standard grade for the 1st time, the probability that is still assigned to user's sequence number 1 after reaching the standard grade for the 2nd time is less than 1/N.
Here, distributing in turn can be to increase progressively in turn distribution, as the sequencing that passes through of authentication of reaching the standard grade of Portal client is: Portal client 1, Portal client 2, Portal client 3 ..., be so Portal client 1, Portal client 2, Portal client 3 ... user's sequence number of distribution respectively: n, n+1, n+2 ....Reach the upper of numerical space at the user's sequence number distributing and prescribe a time limit, continue to start to loop distribution from the lower limit of numerical space.
Distributing in turn can also be the distribution of successively decreasing in turn, now for above-mentioned Portal client 1, Portal client 2, Portal client 3 ... user's sequence number of distribution respectively: n, n-1, n-2 ....Reach the lower of numerical space at the user's sequence number distributing and prescribe a time limit, continue to start to loop distribution from the upper limit of numerical space.
In following table 1, illustrated mapping table that Portal server safeguards in the content that may comprise.Wherein user's sequence number of every row and IP address are exactly user's sequence number and the IP address that Portal server distributes for certain client.
ID | User's sequence number | Time started | IP address | MAC Address | NAS_IP |
40032 | 2 | 2009-7-10 15:49:05 | 1.1.1.101 | 00:31:00:00:00:01 | 85.1.1.1 |
40033 | 3 | 2009-7-10 15:49:06 | 1.1.1.102 | 00:31:00:00:00:02 | 85.1.1.1 |
40034 | 4 | 2009-7-10 15:49:07 | 1.1.1.103 | 00:31:00:00:00:03 | 85.1.1.1 |
40035 | 5 | 2009-7-10 15:49:08 | 1.1.1.104 | 00:31:00:00:00:04 | 85.1.1.1 |
Table 1
From hereinafter can finding out of the present embodiment, in the present embodiment, Portal server inspection be to distribute to the corresponding relation between IP address and user's sequence number of this Portal client by Portal server.And some clients are in the upper line process of homogeneous not, the probability that is just assigned to identical IP address and identical user's sequence number is lower, with 2
64user's sequence number numerical value space of size is example, and this probability is: 1/m*2
64, wherein suppose that m is that allocatable space and the IP address of IP address is also Random assignment.This probability is extremely small, enough the anti-replay demand in current actual use.If need stronger safety assurance, can consider further to increase the size in user's sequence number numerical value space; Can also periodically between Portal client and Portal server, carry out the renewal of preset shared key.
Here, the described first user sequence number rolling off the production line in request message is for offering described Portal server and second user's sequence number compares, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value.In the time that first, second user's sequence number is identical, described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
Here, a Portal client need to, according to predetermined digest algorithm (as MD5), be carried out digest calculations to the predetermined field and the preset shared key that roll off the production line in request message.The request message that rolls off the production line is a kind of portal protocol message, and the form of portal protocol message as shown in Figure 3.In the present embodiment, comprise for the described predetermined field of carrying out digest calculations: 0 and Attributes field of Ver field, the type field, PAP/CHAP field, Rsvd field, SerialNo field, ReqID field, UserIP field, UserPort field, ErrCode field, AttrNum field, 16 bytes, the first authenticator calculating is carried at authentication code (Authenticator) field in authentication request packet.Wherein, first user sequence number is included in the sub-attribute field USER_SEQNUM in Attributes field.
Here, the preset shared key that server and client side preserves is separately identical, and the synchronous method of shared key is same as the prior art.
Can find out from above flow process, user's sequence number that in the present embodiment, Portal client is assigned at every turn after reaching the standard grade conventionally can be not identical, and the factor of Portal client using user's sequence number as MD5 digest computing, also includes the information of user's sequence number in the request message that makes to roll off the production line.Like this, when go-between assailant intercepts certain request message that rolls off the production line once that Portal client sends to Portal server, and this request message that rolls off the production line of resetting after this Portal client is reached the standard grade is again while attacking, because the current user's sequence number being assigned with of this user's sequence number rolling off the production line in request message and this Portal client is different, therefore can to judge this request message that rolls off the production line be a playback message to Portal server, so this message is carried out to discard processing, makes assailant's attack failure.The user sequence number that Portal server distributes while reaching the standard grade even if assailant has intercepted and captured Portal client the last time, and what use this user's sequence number to substitute to reset rolls off the production line when corresponding field in request message, Portal server still can detect by above-mentioned steps 24, therefore Portal server is in the time carrying out MD5 computing according to roll off the production line predetermined field (this predetermined field comprises user's sequence number) in request message and preset shared key, can find that operation result is different from the authenticator carrying in this request message that rolls off the production line, therefore judge that this request message that rolls off the production line has occurred to distort, so still this is rolled off the production line, request message abandons.
The present embodiment also provides the equipment of the method for implementing above-mentioned anti-replay-attack, specifically comprises Portal server and Portal client.
Wherein, as shown in Figure 4, the Portal server that the present embodiment provides, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;
The first judging unit, searches second user's sequence number corresponding to a described IP address for the mapping table of preserving in this locality, and judges that whether described second user's sequence number is identical with described first user sequence number: if so, trigger the second judging unit; Otherwise request message rolls off the production line described in abandoning; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;
The second judging unit, according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.
Preferably, Portal server shown in Fig. 4 also comprises: serial number assignment unit, after passing through for the authentication of reaching the standard grade in each Portal client, for each Portal client distributing user sequence number, and distributed user's sequence number is carried in authentication back message using and sends to corresponding Portal client.Concrete, a numerical value also, for for arbitrary Portal client, is selected at random, as user's sequence number of this Portal client in described serial number assignment unit in predetermined numerical space; Or the sequencing passing through for the authentication of reaching the standard grade according to each Portal client, distributes to each Portal client by the numerical value in predetermined numerical space, in turn as user's sequence number of each Portal client.
As shown in Figure 5, the Portal client that the present embodiment provides, comprising:
Processing unit rolls off the production line, for in the time that this Portal client need to roll off the production line, send to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include an IP address and the first user sequence number of the first authenticator, a Portal client, wherein, described first user sequence number is that described Portal server is the sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is less than predetermined value; Described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number;
Wherein, the described first user sequence number rolling off the production line in request message is for offering described Portal server and second user's sequence number compares, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,
In the time that first, second user's sequence number is identical, described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
Preferably, the Portal client shown in Fig. 5, also comprises:
The processing unit of reaching the standard grade, for send to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.
< embodiment 2>
In the present embodiment, Portal client is in the time rolling off the production line, need first to sequence number that rolls off the production line of Portal server request, this sequence number that rolls off the production line is to distribute in turn each Portal client, that is, and and according to the order that rolls off the production line of each Portal client, sequence number in turn that distribute increases progressively or successively decreases in turn, and Portal server is the sliding window for anti-replay in local maintenance one also, utilize this sliding window to detect starting property of the request message that rolls off the production line.
As shown in Figure 6, the method for anti-replay-attack between Portal server and Portal client that the present embodiment provides, comprises the following steps:
Here, distributing in turn can be to increase progressively in turn distribution, as the sequencing that receives the good request message of sequence number of each Portal client is: Portal client 1, Portal client 2, Portal client 3 ..., be so Portal client 1, Portal client 2, Portal client 3 ... distribution roll off the production line sequence number respectively: n, n+1, n+2 ....The upper of numerical space that reaches pre-sizing at the sequence number that rolls off the production line distributing prescribed a time limit, and continues to start to loop distribution from the lower limit of numerical space.Here n is an integer.
Distributing in turn can also be the distribution of successively decreasing in turn, now for above-mentioned Portal client 1, Portal client 2, Portal client 3 ... distribution roll off the production line sequence number respectively: n, n-1, n-2 ....The lower of numerical space that reaches pre-sizing at the sequence number that rolls off the production line distributing prescribed a time limit, and continues to start to loop distribution from the upper limit of numerical space.
The size of above-mentioned numerical space can, according to actual application environment, be chosen as the number of Portal client terminal quantity, for example, get 2
32or 2
64conventionally can meet the demand of the anti-replay-attack in actual use.The present embodiment not concrete size in logarithm value space limits, even if this numerical space is less, according to the processing mode of the present embodiment, also can on certain probability, judge the message of Replay Attack, thus the Replay Attack of the request message that prevents to a certain extent rolling off the production line.
Here, described first in the request message that the roll off the production line sequence number that rolls off the production line first rolls off the production line within the sliding window scope of the anti-replay whether sequence number safeguard in described Portal server for judge this for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;
Roll off the production line sequence number within described sliding window scope time described first, described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described the second authenticator, according to predetermined digest algorithm, preset shared key and described predetermined field carried out that digest calculations obtains.
Here, after the authentication of rolling off the production line of a Portal client is passed through, Portal server may need described sliding window to carry out suitable sliding transfer, so that its two ends are corresponding with the maximum and the reckling that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line respectively.
Can find out from above flow process, the roll off the production line sliding window of sequence number of the present embodiment utilization is verified starting property of message, with the Replay Attack of the request message that prevents from rolling off the production line.When utilizing the request message that rolls off the production line of certain Portal client of previous intercepting and capturing, assailant initiates Replay Attack; because the sequence number that rolls off the production line rolling off the production line in request message of resetting conventionally can be outside sliding window; to cause this request message that rolls off the production line to be dropped, attack proves an abortion.Even if it is the last sequence number that rolls off the production line distributing of Portal client that assailant has intercepted and captured Portal server, and use this sequence number that rolls off the production line to substitute the corresponding field rolling off the production line in request message of previously having intercepted and captured, Portal server still can detect by above-mentioned steps 65, therefore Portal server is in the time carrying out MD5 computing according to roll off the production line predetermined field (this predetermined field comprises the sequence number that rolls off the production line) in request message and preset shared key, can find that operation result is different from the authenticator carrying in this request message that rolls off the production line, therefore judge that this request message that rolls off the production line has occurred to distort, so still this is rolled off the production line, request message abandons.
The present embodiment also provides the equipment of the method for implementing above-mentioned anti-replay-attack, specifically comprises Portal server and Portal client.
Wherein, as shown in Figure 7, the Portal server that the present embodiment provides, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;
The first judging unit, for judging that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, trigger the second judging unit, otherwise the request message that rolls off the production line described in abandoning; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;
The second judging unit, be used for according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, in described predetermined field, include described first sequence number that rolls off the production line.
Preferably, Portal server shown in Fig. 7, also comprise: serial number assignment unit, for after the serial number request message for the sequence number of asking to roll off the production line that receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.
Wherein, as shown in Figure 8, the Portal client that the present embodiment provides, comprising:
Serial number request unit, for in the time that this Portal client need to roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carrying described Portal server is the sequence number that rolls off the production line that a described Portal client is distributed, wherein, the distribution of the described sequence number that rolls off the production line is the sequencing that described Portal server basis receives the serial number request message of each Portal client transmission, for each Portal client is distributed in turn,
Processing unit rolls off the production line, for sending to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;
Wherein, described first in the request message that the roll off the production line sequence number that rolls off the production line first rolls off the production line sequence number whether within the sliding window scope in the local anti-replay arranging of described Portal server for judge this for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server.
Roll off the production line sequence number within described sliding window scope time described first, described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described the second authenticator, according to predetermined digest algorithm, preset shared key and described predetermined field carried out that digest calculations obtains.
In sum, in the method and apparatus of the anti-replay-attack that the embodiment of the present invention provides, Portal client is that client is distributed corresponding sequence number (as user's sequence number or the sequence number that rolls off the production line), and in verification process, utilize this sequence number to detect playback message rolling off the production line, thereby the Replay Attack of the request message that can effectively prevent from rolling off the production line, the fail safe that improves Portal Verification System.
The above is only embodiments of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (16)
1. a method that prevents Replay Attack between Portal server and Portal client of being carried out by Portal server, is characterized in that, comprising:
Steps A, Portal server receives the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;
Step B, in the mapping table that Portal server is preserved in this locality, search second user's sequence number corresponding to a described IP address, and judge that whether first, second user's sequence number is identical: if so, enter step C, otherwise described in abandoning, roll off the production line request message process ends; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;
Step C, Portal server is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message process ends roll off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.
2. the method for claim 1, is characterized in that, also comprises:
Described Portal server is reached the standard grade after authentication passes through in each Portal client, is each Portal client distributing user sequence number, and distributed user's sequence number is carried to authentication sends to corresponding Portal client in back message using.
3. method as claimed in claim 2, is characterized in that,
Describedly for each Portal client distributing user sequence number be:
For arbitrary Portal client, in predetermined numerical space, select at random a numerical value, as user's sequence number of this Portal client; Or, reach the standard grade and authenticate the sequencing passing through according to each Portal client, the numerical value in predetermined numerical space is distributed to each Portal client in turn, as user's sequence number of each Portal client.
4. method as claimed in claim 2, it is characterized in that, in described step C, after the authentication of rolling off the production line that judges a described Portal client is passed through, described Portal server is further deleted the corresponding relation between a described IP address and the described second user's sequence number of preserving in described mapping table.
5. by a method that prevents Replay Attack between Portal server and Portal client for Portal client executing, it is characterized in that, comprising:
The one Portal client is in the time that needs roll off the production line, send to Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include an IP address and the first user sequence number of the first authenticator, a Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is not more than predetermined value; Described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number;
Wherein, the described first user sequence number rolling off the production line in request message is for offering described Portal server and second user's sequence number compares, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,
Described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
6. method as claimed in claim 5, is characterized in that, before the request message that rolls off the production line described in sending, described method also comprises:
The one Portal client sends to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.
7. a Portal server, is characterized in that, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;
The first judging unit, searches second user's sequence number corresponding to a described IP address for the mapping table of preserving in this locality, and judges that whether first, second user's sequence number is identical: if so, trigger the second judging unit; Otherwise request message rolls off the production line described in abandoning; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;
The second judging unit, according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.
8. Portal server as claimed in claim 7, is characterized in that, also comprises:
Serial number assignment unit, after passing through, is each Portal client distributing user sequence number, and distributed user's sequence number is carried in authentication back message using and sends to corresponding Portal client for the authentication of reaching the standard grade in each Portal client.
9. Portal server as claimed in claim 8, is characterized in that,
A numerical value also, for for arbitrary Portal client, is selected at random, as user's sequence number of this Portal client in described serial number assignment unit in predetermined numerical space; Or the sequencing passing through for the authentication of reaching the standard grade according to each Portal client, distributes to each Portal client by the numerical value in predetermined numerical space, in turn as user's sequence number of each Portal client.
10. a Portal client, is characterized in that, comprising:
Processing unit rolls off the production line, for in the time that this Portal client need to roll off the production line, send to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include the first authenticator, the one IP address and the first user sequence number of the one Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is not more than predetermined value, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number,
Wherein, the described first user sequence number rolling off the production line in request message is for comparing for described Portal server and second user's sequence number, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,
Described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.
11. Portal clients as claimed in claim 10, is characterized in that, also comprise:
The processing unit of reaching the standard grade, for send to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.
The method of 12. 1 kinds of anti-replay-attacks between Portal server and Portal client, is characterized in that, comprising:
Step 1, Portal server receives the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;
Step 2, Portal server judges that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, enter step 3, otherwise described in abandoning, roll off the production line request message process ends; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;
Step 3, Portal server is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message process ends roll off the production line described in abandoning; Wherein, in described predetermined field, include described first sequence number that rolls off the production line.
The method of 13. 1 kinds of anti-replay-attacks between Portal server and Portal client, is characterized in that, comprising:
The one Portal client is in the time that needs roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carry described Portal server and be a described Portal client distributes first sequence number that rolls off the production line, wherein, the distribution of the described sequence number that rolls off the production line is described Portal server according to the sequencing that receives the serial number request message that each Portal client sends, for each Portal client is distributed in turn;
The one Portal client sends to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;
Wherein, described first in the request message that roll off the production line rolls off the production line sequence number within judging whether the sliding window scope of the anti-replay of safeguarding in described Portal server for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;
Described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator is described Portal server described first while rolling off the production line within the sliding window scope of sequence number in described anti-replay, according to predetermined digest algorithm, preset shared key and described predetermined field is carried out that digest calculations obtains.
14. 1 kinds of Portal server, is characterized in that, comprising:
Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;
The first judging unit, for judging that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, trigger the second judging unit, otherwise the request message that rolls off the production line described in abandoning; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;
The second judging unit, be used for according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, in described predetermined field, include described first sequence number that rolls off the production line.
15. Portal server as claimed in claim 14, is characterized in that, also comprise:
Serial number assignment unit, for after the serial number request message for the sequence number of asking to roll off the production line that receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.
16. 1 kinds of Portal clients, is characterized in that, comprising:
Serial number request unit, for in the time that this Portal client need to roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carry described Portal server and be a described Portal client distributes first sequence number that rolls off the production line, wherein, the distribution of the described sequence number that rolls off the production line is the sequencing that described Portal server basis receives the serial number request message of each Portal client transmission, for each Portal client is distributed in turn,
Processing unit rolls off the production line, for sending to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;
Wherein, described first in the request message that the roll off the production line sequence number that rolls off the production line first rolls off the production line sequence number whether within the sliding window scope in the local anti-replay arranging of described Portal server for judge this for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;
Described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator is described Portal server described first while rolling off the production line within the sliding window scope of sequence number in described anti-replay, according to predetermined digest algorithm, preset shared key and described predetermined field is carried out that digest calculations obtains.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910237527.5A CN102065067B (en) | 2009-11-11 | 2009-11-11 | Method and device for preventing replay attack between portal server and client |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910237527.5A CN102065067B (en) | 2009-11-11 | 2009-11-11 | Method and device for preventing replay attack between portal server and client |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102065067A CN102065067A (en) | 2011-05-18 |
CN102065067B true CN102065067B (en) | 2014-06-25 |
Family
ID=44000170
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200910237527.5A Expired - Fee Related CN102065067B (en) | 2009-11-11 | 2009-11-11 | Method and device for preventing replay attack between portal server and client |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102065067B (en) |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102684884B (en) * | 2012-05-24 | 2016-08-03 | 杭州华三通信技术有限公司 | A kind of Portal Web server and the method preventing from forging the request of rolling off the production line thereof |
CN102761560B (en) * | 2012-08-01 | 2015-01-14 | 飞天诚信科技股份有限公司 | Method and system for verifying information integrity |
CN102801733A (en) * | 2012-08-28 | 2012-11-28 | 盛科网络(苏州)有限公司 | Method for setting security authentication in precision time protocol (PTP) |
CN102857521A (en) * | 2012-10-12 | 2013-01-02 | 盛科网络(苏州)有限公司 | Method and device for setting operation, administration and maintenance (OAM) security authentication |
WO2014110775A1 (en) | 2013-01-18 | 2014-07-24 | Hewlett-Packard Development Company, L.P. | Preventing a memory attack to a wireless access point |
WO2014110774A1 (en) * | 2013-01-18 | 2014-07-24 | Hewlett-Packard Development Company, L.P. | Preventing an input/output blocking attack to a wireless access point |
CN103237020B (en) * | 2013-04-07 | 2016-08-17 | 杭州华三通信技术有限公司 | Avoid method and server, switch that state machine is hacked |
CN104105125B (en) * | 2013-04-15 | 2017-08-25 | 中国移动通信集团北京有限公司 | A kind of method for processing business, apparatus and system |
CN103441983A (en) * | 2013-07-11 | 2013-12-11 | 盛科网络(苏州)有限公司 | Information protection method and device based on link layer discovery protocol |
CN103905452A (en) * | 2014-04-03 | 2014-07-02 | 国家电网公司 | Credible network attack filter device and method |
CN105991359A (en) * | 2015-02-06 | 2016-10-05 | 中兴通讯股份有限公司 | Method and device for detecting repeated simulation messages |
CN104917765A (en) * | 2015-06-10 | 2015-09-16 | 杭州华三通信技术有限公司 | Attack prevention method, and equipment |
CN106789884A (en) * | 2016-11-16 | 2017-05-31 | 上海斐讯数据通信技术有限公司 | A kind of portal authentication method and system |
CN106453408B (en) * | 2016-11-21 | 2020-01-03 | 新华三技术有限公司 | Method and device for preventing counterfeit offline attack |
CN112671605B (en) * | 2020-12-16 | 2023-07-11 | 建信金融科技有限责任公司 | Test method and device and electronic equipment |
CN112653699B (en) * | 2020-12-22 | 2022-08-12 | 迈普通信技术股份有限公司 | BFD authentication method and device and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1416241A (en) * | 2002-10-16 | 2003-05-07 | 华为技术有限公司 | Authentication method for supporting network switching in based on different devices at same time |
JP2004302869A (en) * | 2003-03-31 | 2004-10-28 | Fuji Xerox Co Ltd | Access management server, network device, network system and access management method |
CN101217567A (en) * | 2008-01-08 | 2008-07-09 | 杭州华三通信技术有限公司 | A webpage push method, system and device |
CN101277308A (en) * | 2008-05-23 | 2008-10-01 | 杭州华三通信技术有限公司 | Method for insulating inside and outside networks, authentication server and access switch |
-
2009
- 2009-11-11 CN CN200910237527.5A patent/CN102065067B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1416241A (en) * | 2002-10-16 | 2003-05-07 | 华为技术有限公司 | Authentication method for supporting network switching in based on different devices at same time |
JP2004302869A (en) * | 2003-03-31 | 2004-10-28 | Fuji Xerox Co Ltd | Access management server, network device, network system and access management method |
CN101217567A (en) * | 2008-01-08 | 2008-07-09 | 杭州华三通信技术有限公司 | A webpage push method, system and device |
CN101277308A (en) * | 2008-05-23 | 2008-10-01 | 杭州华三通信技术有限公司 | Method for insulating inside and outside networks, authentication server and access switch |
Also Published As
Publication number | Publication date |
---|---|
CN102065067A (en) | 2011-05-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102065067B (en) | Method and device for preventing replay attack between portal server and client | |
US9942220B2 (en) | Preventing unauthorized account access using compromised login credentials | |
CN105897782A (en) | Method and device for treating call request of interface | |
CN101345743B (en) | Method and system for preventing network attack by utilizing address analysis protocol | |
CN102572815B (en) | Method, system and device for processing terminal application request | |
EP3346660A1 (en) | Authentication information update method and device | |
CN109104475B (en) | Connection recovery method, device and system | |
CN106453361B (en) | A kind of security protection method and system of the network information | |
CN103338201B (en) | The remote identity authentication method that under a kind of environment of multi-server, registration center participates in | |
CN109714370B (en) | HTTP (hyper text transport protocol) -based cloud security communication implementation method | |
CN102647461A (en) | Communication method, server and terminal based on HTTP (Hypertext Transfer Protocol) | |
CN104660605A (en) | Multi-factor identity authentication method and system | |
CA2775900A1 (en) | Systems and methods for authenticating users accessing unsecured wifi access points | |
CN101997685A (en) | Single sign-on method, single sign-on system and associated equipment | |
CN104917727A (en) | Account authentication method, system and apparatus | |
CN104243458A (en) | Secure online game logging-in method and system | |
CN103236927B (en) | A kind of authentication method based on dynamic ID mark and system | |
CN101715009A (en) | Safe address allocation method, detecting device, detecting equipment and detecting system | |
CN101599967A (en) | Authority control method and system based on the 802.1x Verification System | |
CN104410622A (en) | Safety authentication method, client side and system for logging in Web system | |
US20100107234A1 (en) | Methods for protecting against cookie-poisoning attacks in networked-communication applications | |
US20150350208A1 (en) | Token server-based system and methodology providing user authentication and verification for online secured systems | |
CN102185871A (en) | Method and equipment for processing messages | |
CN110943840B (en) | Signature verification method | |
US20140330689A1 (en) | System and Method for Verifying Online Banking Account Identity Using Real-Time Communication and Digital Certificate |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address | ||
CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140625 Termination date: 20191111 |