CN102065067B

CN102065067B - Method and device for preventing replay attack between portal server and client

Info

Publication number: CN102065067B
Application number: CN200910237527.5A
Authority: CN
Inventors: 刘洋; 伊莉娜
Original assignee: Hangzhou H3C Technologies Co Ltd
Current assignee: New H3C Technologies Co Ltd
Priority date: 2009-11-11
Filing date: 2009-11-11
Publication date: 2014-06-25
Anticipated expiration: 2029-11-11
Also published as: CN102065067A

Abstract

The invention provides a method and device for preventing an replay attack between a portal server and a client. In the invention, the portal server is used for distributing the corresponding serial number, such as user serial number or downline serial number, for the client, and detecting a replay message by using the serial number in the downline authentication process, thereby effectively preventing the replay attack of the downline request message and enhancing the security of the portal authentication system.

Description

A kind of between portal server and client the method and apparatus of anti-replay-attack

Technical field

The present invention relates to secure authentication technology field, be specifically related to the method and apparatus of one anti-replay-attack between door (Portal) Portal server and Portal client.

Background technology

Portal authenticates conventionally also referred to as web authentication, carries out user by webpage (Web) mode and authenticates.Generally Portal authentication website is called to portal website.Portal authentication protocol is mainly used in the broadband access authentication system based on WEB, the authentication and authorization of completing user.When unauthenticated user online, equipment force users signs in to particular station, and user can free access service wherein.In the time that user need to use the out of Memory in the Internet, must authenticate in portal website, only have authentication just can use Internet resources by rear user.

Whole Portal verification process has related to authentication Portal client (Portal Client), certificate server (Portal Server), BAS Broadband Access Server (BAS, Broad Access Server) and Certificate Authority and charging (AAA, Authentication Authorization Accounting) server.Authentication is main by the protocol interaction between Portal Server and BAS, agreement adopts non-proper client/server (Client/Server) structure, and most of message adopts request/response (Request/Response) mode to carry out alternately.

At present, the Portal client handling process that initiatively requirement is rolled off the production line as shown in Figure 1.In the process that initiatively requires to roll off the production line in Portal client, Portal client can send the request message (LOGOUT_REQUEST (0x66)) that rolls off the production line by former head's trend Portal server, wherein this authentication (Authenticator) field rolling off the production line in request message is this preset shared key that rolls off the production line part field in request message and Portal client to be carried out to Message-Digest Algorithm 5 (MD5, Message-Digest algorithm 5) digest calculations draw.When Portal server is received above-mentioned rolling off the production line after request message, will carry out MD5 digest according to the preset shared key of the part field in this request message and Portal server and calculate a value, and and the value of the Authenticator field of Portal client compare, if identical, just think that message is legal, execution is mutual with BAS's, and the most backward Portal client is returned to the back message using that rolls off the production line; Otherwise just think and can simply abandon message mistake, and carry out the statistics to dropping packets.Above-mentioned processing procedure is the verification process of Portal server for Portal client.In order to complete this verification process, require Portal server and Portal client two ends need to configure identical preset shared key (Secret), and both sides adopt identical cryptographic algorithm (as the cryptographic algorithm of the MD5 describing in RFC1321), recipient is in order to verify the correctness of received message simultaneously, must adopt and the duplicate computational process of transmit leg, predetermined field is encrypted to calculating.

There is the safety problem of go-between's Replay Attack in the Portal client of the prior art implementation that rolls off the production line.If the person that has man-in-the-middle attack between Portal client and Portal server, certain initiatively rolling off the production line after request message once that it listens to that Portal client sends to Portal server, preserves this message.When this Portal client is again by authentication, when normally reaching the standard grade, man-in-the-middle attack person to Portal server this message of resetting, will cause Portal server that this Portal client is played and rolled off the production line suddenly.If man-in-the-middle attack person has preserved the request message that initiatively rolls off the production line of a large amount of different Portal clients of Portal client, and irregularly deliberately reset, will cause occurring the improper situation about going offline of a large amount of Portal clients, and then can also derive other attack, as: Session Hijack, between main frame, trusting relationship is stolen etc.

Summary of the invention

Technical problem to be solved by this invention be to provide a kind of between Portal server and Portal client the method and apparatus of anti-replay-attack, the Replay Attack of the request message that effectively prevents from rolling off the production line, the fail safe that improves Portal Verification System.

For solving the problems of the technologies described above, the invention provides scheme as follows:

A method for anti-replay-attack between Portal server and Portal client, comprising:

Steps A, Portal server receives the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;

Step B, in the mapping table that Portal server is preserved in this locality, search second user's sequence number corresponding to a described IP address, and judge that whether first, second user's sequence number is identical: if so, enter step C, otherwise described in abandoning, roll off the production line request message process ends; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;

Step C, Portal server is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message process ends roll off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.

Preferably, in said method, also comprise:

Described Portal server is reached the standard grade after authentication passes through in each Portal client, is each Portal client distributing user sequence number, and distributed user's sequence number is carried to authentication sends to corresponding Portal client in back message using.

Preferably, in said method,

Describedly for each Portal client distributing user sequence number be:

For arbitrary Portal client, in predetermined numerical space, select at random a numerical value, as user's sequence number of this Portal client; Or, reach the standard grade and authenticate the sequencing passing through according to each Portal client, the numerical value in predetermined numerical space is distributed to each Portal client in turn, as user's sequence number of each Portal client.

Preferably, in said method, in described step C, after the authentication of rolling off the production line that judges a described Portal client is passed through, described Portal server is further deleted the corresponding relation between a described IP address and the described second user's sequence number of preserving in described mapping table.

The present invention also provides the method for another kind anti-replay-attack between Portal server and Portal client, comprising:

The one Portal client is in the time that needs roll off the production line, send to Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include an IP address and the first user sequence number of the first authenticator, a Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is less than predetermined value; Described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number;

Wherein, the described first user sequence number rolling off the production line in request message is for offering described Portal server and second user's sequence number compares, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,

Described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.

Preferably, in said method, before the request message that rolls off the production line described in sending, described method also comprises:

The one Portal client sends to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.

The invention provides a kind of Portal server, comprising:

Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include an IP address of the first authenticator, first user sequence number and a Portal client in request message;

The first judging unit, searches second user's sequence number corresponding to a described IP address for the mapping table of preserving in this locality, and judges that whether first, second user's sequence number is identical: if so, trigger the second judging unit; Otherwise request message rolls off the production line described in abandoning; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;

The second judging unit, according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, described predetermined field includes described first user sequence number.

Preferably, in above-mentioned Portal server, also comprise:

Serial number assignment unit, after passing through, is each Portal client distributing user sequence number, and distributed user's sequence number is carried in authentication back message using and sends to corresponding Portal client for the authentication of reaching the standard grade in each Portal client.

Preferably, in above-mentioned Portal server,

A numerical value also, for for arbitrary Portal client, is selected at random, as user's sequence number of this Portal client in described serial number assignment unit in predetermined numerical space; Or the sequencing passing through for the authentication of reaching the standard grade according to each Portal client, distributes to each Portal client by the numerical value in predetermined numerical space, in turn as user's sequence number of each Portal client.

The present invention also provides a kind of Portal client, comprising:

Processing unit rolls off the production line, for in the time that this Portal client need to roll off the production line, send to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include the first authenticator, the one IP address and the first user sequence number of the one Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is less than predetermined value, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number,

Wherein, the described first user sequence number rolling off the production line in request message is for comparing for described Portal server and second user's sequence number, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value,

Preferably, in above-mentioned Portal client, also comprise:

The processing unit of reaching the standard grade, for send to Portal server the request message of reaching the standard grade in the time that this Portal client need to be reached the standard grade, and receive Portal server to a described Portal client reach the standard grade authentication by after the back message using of reaching the standard grade that returns, described in reach the standard grade that to carry described Portal server in back message using be user's sequence number that a described Portal client is distributed.

The present invention also provide a kind of between Portal server and Portal client the method for anti-replay-attack, comprising:

Step 1, Portal server receives the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;

Step 2, Portal server judges that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, enter step 3, otherwise described in abandoning, roll off the production line request message process ends; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;

Step 3, Portal server is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message process ends roll off the production line described in abandoning; Wherein, in described predetermined field, include described first sequence number that rolls off the production line.

Preferably, in said method, also comprise:

After the serial number request message for the sequence number of asking to roll off the production line that described Portal server receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.

The present invention provide again a kind of between Portal server and Portal client the method for anti-replay-attack, comprising:

The one Portal client is in the time that needs roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carrying described Portal server is the sequence number that rolls off the production line that a described Portal client is distributed, wherein, the distribution of the described sequence number that rolls off the production line is described Portal server according to the sequencing that receives the serial number request message that each Portal client sends, for each Portal client is distributed in turn;

The one Portal client sends to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;

Wherein, described first in the request message that roll off the production line rolls off the production line sequence number within judging whether the sliding window scope of the anti-replay of safeguarding in described Portal server for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;

Described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described the second authenticator, according to predetermined digest algorithm, preset shared key and described predetermined field carried out that digest calculations obtains.

The present invention also provides another kind of Portal server, comprising:

Receiving element, for receiving the request message that rolls off the production line for a Portal client, described in roll off the production line and include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, first in request message;

The first judging unit, for judging that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance: if so, trigger the second judging unit, otherwise the request message that rolls off the production line described in abandoning; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server, the distribution of the described sequence number that rolls off the production line be Portal server receive that each Portal client sends in the time need to rolling off the production line the serial number request message for the sequence number of asking to roll off the production line after, according to the sequencing that receives described serial number request message, for each Portal client is distributed in turn;

The second judging unit, be used for according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator is identical: the authentication of rolling off the production line that if so, judges a described Portal client is passed through; Otherwise request message rolls off the production line described in abandoning; Wherein, in described predetermined field, include described first sequence number that rolls off the production line.

Preferably, in above-mentioned Portal server, also comprise:

Serial number assignment unit, for after the serial number request message for the sequence number of asking to roll off the production line that receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.

The present invention also provides another kind of Portal client, comprising:

Serial number request unit, for in the time that this Portal client need to roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carrying described Portal server is the sequence number that rolls off the production line that a described Portal client is distributed, wherein, the distribution of the described sequence number that rolls off the production line is the sequencing that described Portal server basis receives the serial number request message of each Portal client transmission, for each Portal client is distributed in turn,

Processing unit rolls off the production line, for sending to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include roll off the production line an IP address of sequence number and a Portal client of the first authenticator, described first, wherein, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line;

Wherein, described first in the request message that the roll off the production line sequence number that rolls off the production line first rolls off the production line sequence number whether within the sliding window scope in the local anti-replay arranging of described Portal server for judge this for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;

Can find out from the above, provided by the invention between Portal server and Portal client the method and apparatus of anti-replay-attack, be that client is distributed corresponding sequence number (as user's sequence number or the sequence number that rolls off the production line) by Portal client, and in verification process, utilize this sequence number to detect playback message rolling off the production line, thereby the Replay Attack of the request message that can effectively prevent from rolling off the production line, the fail safe that improves Portal Verification System.

Accompanying drawing explanation

Fig. 1 is that the Portal client of prior art initiatively requires the schematic flow sheet rolling off the production line;

Fig. 2 is the schematic flow sheet of the method for anti-replay-attack described in the embodiment of the present invention 1;

Fig. 3 is the form schematic diagram of portal protocol message;

Fig. 4 is the structural representation of Portal server described in the embodiment of the present invention 1;

Fig. 5 is the structural representation of Portal client described in the embodiment of the present invention 1;

Fig. 6 is the schematic flow sheet of the method for anti-replay-attack described in the embodiment of the present invention 2;

Fig. 7 is the structural representation of Portal server described in the embodiment of the present invention 2;

Fig. 8 is the structural representation of Portal client described in the embodiment of the present invention 2.

Embodiment

In prior art, exist the reason of go-between's Replay Attack safety problem to be, the Portal server in prior art scheme is mainly to have verified this credibility rolling off the production line in request message.In other words, checking be the part specific field of request message of rolling off the production line, the trusted relationships between preset shared key and this three of authentication code (Authenticator) field of rolling off the production line in request message.Be merely able to the credibility of the request message that guarantees this according to the verification process of this relation, if this message victim was distorted, can detect.But, can not verify and that is to say starting property of this request message, can not distinguish this request message and whether repeat to send.

Main thought of the present invention is, in the proof procedure at Portal server for Portal client, by the credible factor of introducing and this Portal User is associated, to solve the safety problem that go-between's Replay Attack causes.Below with reference to accompanying drawing, by specific embodiment, the present invention is further illustrated.

< embodiment 1>

In the present embodiment, Portal server is user's sequence number of this Portal client distribution after arbitrary Portal client is reached the standard grade, and for same Portal client, Portal server guarantees that this Portal client is assigned to different user's sequence numbers at every turn after reaching the standard grade as far as possible, and Portal server is preserved the corresponding relation between user's sequence number and the IP address of each online Portal client in this locality, and then receiving the rolling off the production line after request message of Portal client, the user's sequence number carrying in the corresponding relation of preserving according to this locality and the request message that rolls off the production line, verify starting property of this message.

As shown in Figure 2, the method for anti-replay-attack between Portal server and Portal client that the present embodiment provides, comprises the following steps:

Step 21, Portal client, in the time that needs are reached the standard grade, sends to Portal server the request message (login_request) of reaching the standard grade, Portal server is after the authentication of reaching the standard grade of this Portal client is passed through, for this Portal client distributing IP address and user's sequence number, and return to one to this Portal client and be used to indicate the back message using of reaching the standard grade (login_response) that passes through of authentication, this back message using of reaching the standard grade comprises a field (as self-defining USER_SEQNUM field), this field carries distributes to this Portal client, be used for user's sequence number of this Portal client of unique identification, simultaneously, Portal server is also at mapping table of local maintenance, in this mapping table, preserve the corresponding relation between IP address and the user's sequence number that distributes this Portal client.Portal client is to reaching the standard grade after back message using, and therefrom extracting Portal server is IP address and user's sequence number of its distribution, and after this Portal client can be used this access the Internet, IP address.

Here, Portal server, in the time being Portal client distributing user sequence number, need to guarantee that Portal client is assigned to same user's sequence number at homogeneous not probability after reaching the standard grade is not more than predetermined value, and the concrete method of salary distribution can be:

1), in the numerical space of a pre-sizing (being assumed to be N), choose at random a numerical value, as user's sequence number of Portal client.Under this method of salary distribution, suppose that Portal client is assigned to user's sequence number 1 after reaching the standard grade for the 1st time, the probability that is still assigned to user's sequence number 1 after reaching the standard grade for the 2nd time is 1/N.As long as N is enough large, just can guarantee that Portal client is assigned to same user's sequence number at homogeneous not probability after reaching the standard grade is enough little.For example,, when N gets 2 ³²or 2 ⁶⁴time, can meet the demand of the anti-replay-attack in actual use.

2) reach the standard grade and authenticate the sequencing passing through according to each Portal client, the numerical value in predetermined numerical space (being assumed to be N) is distributed to each Portal client in turn, as user's sequence number of each Portal client.In this case, suppose that Portal client is assigned to user's sequence number 1 after reaching the standard grade for the 1st time, the probability that is still assigned to user's sequence number 1 after reaching the standard grade for the 2nd time is less than 1/N.

Here, distributing in turn can be to increase progressively in turn distribution, as the sequencing that passes through of authentication of reaching the standard grade of Portal client is: Portal client 1, Portal client 2, Portal client 3 ..., be so Portal client 1, Portal client 2, Portal client 3 ... user's sequence number of distribution respectively: n, n+1, n+2 ....Reach the upper of numerical space at the user's sequence number distributing and prescribe a time limit, continue to start to loop distribution from the lower limit of numerical space.

Distributing in turn can also be the distribution of successively decreasing in turn, now for above-mentioned Portal client 1, Portal client 2, Portal client 3 ... user's sequence number of distribution respectively: n, n-1, n-2 ....Reach the lower of numerical space at the user's sequence number distributing and prescribe a time limit, continue to start to loop distribution from the upper limit of numerical space.

In following table 1, illustrated mapping table that Portal server safeguards in the content that may comprise.Wherein user's sequence number of every row and IP address are exactly user's sequence number and the IP address that Portal server distributes for certain client.

ID	User's sequence number	Time started	IP address	MAC Address	NAS_IP
						40032	2	2009-7-10 15:49:05	1.1.1.101	00:31:00:00:00:01	85.1.1.1
40033	3	2009-7-10 15:49:06	1.1.1.102	00:31:00:00:00:02	85.1.1.1
						40034	4	2009-7-10 15:49:07	1.1.1.103	00:31:00:00:00:03	85.1.1.1
40035	5	2009-7-10 15:49:08	1.1.1.104	00:31:00:00:00:04	85.1.1.1

Table 1

From hereinafter can finding out of the present embodiment, in the present embodiment, Portal server inspection be to distribute to the corresponding relation between IP address and user's sequence number of this Portal client by Portal server.And some clients are in the upper line process of homogeneous not, the probability that is just assigned to identical IP address and identical user's sequence number is lower, with 2 ⁶⁴user's sequence number numerical value space of size is example, and this probability is: 1/m*2 ⁶⁴, wherein suppose that m is that allocatable space and the IP address of IP address is also Random assignment.This probability is extremely small, enough the anti-replay demand in current actual use.If need stronger safety assurance, can consider further to increase the size in user's sequence number numerical value space; Can also periodically between Portal client and Portal server, carry out the renewal of preset shared key.

Step 22, suppose certain Portal client, as a Portal client need to roll off the production line, the one Portal client will send the request message that rolls off the production line to Portal server, in the described request message that rolls off the production line, include the first authenticator, the one IP address of described first user sequence number and a Portal client, wherein, described the first authenticator is that a Portal client is according to predetermined digest algorithm, the described predetermined field rolling off the production line in request message and local preset shared key of preserving are carried out to digest calculations obtains, described predetermined field includes described first user sequence number.

Here, the described first user sequence number rolling off the production line in request message is for offering described Portal server and second user's sequence number compares, and first, request message rolls off the production line described in second user's sequence number abandons when not identical, wherein, described second user's sequence number is that described Portal server is searched the user sequence number corresponding with an IP address that the local mapping table of preserving obtains, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value.In the time that first, second user's sequence number is identical, described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.

Here, a Portal client need to, according to predetermined digest algorithm (as MD5), be carried out digest calculations to the predetermined field and the preset shared key that roll off the production line in request message.The request message that rolls off the production line is a kind of portal protocol message, and the form of portal protocol message as shown in Figure 3.In the present embodiment, comprise for the described predetermined field of carrying out digest calculations: 0 and Attributes field of Ver field, the type field, PAP/CHAP field, Rsvd field, SerialNo field, ReqID field, UserIP field, UserPort field, ErrCode field, AttrNum field, 16 bytes, the first authenticator calculating is carried at authentication code (Authenticator) field in authentication request packet.Wherein, first user sequence number is included in the sub-attribute field USER_SEQNUM in Attributes field.

Step 23, Portal server receives for the above-mentioned of a Portal client and rolls off the production line after request message, from this message, extract an IP address and the first user sequence number of a Portal client, and search second user's sequence number corresponding to a described IP address in the mapping table of preserving in this locality, and judge that whether described second user's sequence number is identical with described first user sequence number: if, enter step 24, otherwise enter step 26;

Step 24, Portal server is according to predetermined digest algorithm, the described described predetermined field rolling off the production line in request message and local preset shared key of preserving are carried out to digest calculations, obtain the second authenticator, and whether the first authenticator carrying in the request message that rolls off the production line described in judgement is identical with described the second authenticator: if so, enter step 25; Otherwise enter step 26.

Here, the preset shared key that server and client side preserves is separately identical, and the synchronous method of shared key is same as the prior art.

Step 25, Portal server judge a described Portal client roll off the production line authentication pass through.After the authentication of rolling off the production line of a described Portal client is passed through, Portal server is by according to the identical processing mode of prior art, the relevant information that continuation and the mutual Portal client-requested of BAS roll off the production line, and receive that BAS returns to answering after message, return to a Portal client back message using that rolls off the production line, be used to indicate and roll off the production line successfully.The one Portal client receives that this rolls off the production line after back message using, thinks and oneself successfully rolls off the production line.

Step 26, Portal server judges the authentification failure that rolls off the production line of a described Portal client, request message process ends roll off the production line described in now directly abandoning.

Can find out from above flow process, user's sequence number that in the present embodiment, Portal client is assigned at every turn after reaching the standard grade conventionally can be not identical, and the factor of Portal client using user's sequence number as MD5 digest computing, also includes the information of user's sequence number in the request message that makes to roll off the production line.Like this, when go-between assailant intercepts certain request message that rolls off the production line once that Portal client sends to Portal server, and this request message that rolls off the production line of resetting after this Portal client is reached the standard grade is again while attacking, because the current user's sequence number being assigned with of this user's sequence number rolling off the production line in request message and this Portal client is different, therefore can to judge this request message that rolls off the production line be a playback message to Portal server, so this message is carried out to discard processing, makes assailant's attack failure.The user sequence number that Portal server distributes while reaching the standard grade even if assailant has intercepted and captured Portal client the last time, and what use this user's sequence number to substitute to reset rolls off the production line when corresponding field in request message, Portal server still can detect by above-mentioned steps 24, therefore Portal server is in the time carrying out MD5 computing according to roll off the production line predetermined field (this predetermined field comprises user's sequence number) in request message and preset shared key, can find that operation result is different from the authenticator carrying in this request message that rolls off the production line, therefore judge that this request message that rolls off the production line has occurred to distort, so still this is rolled off the production line, request message abandons.

The present embodiment also provides the equipment of the method for implementing above-mentioned anti-replay-attack, specifically comprises Portal server and Portal client.

Wherein, as shown in Figure 4, the Portal server that the present embodiment provides, comprising:

The first judging unit, searches second user's sequence number corresponding to a described IP address for the mapping table of preserving in this locality, and judges that whether described second user's sequence number is identical with described first user sequence number: if so, trigger the second judging unit; Otherwise request message rolls off the production line described in abandoning; Wherein, in described mapping table, preserve described Portal server and be the corresponding relation between IP address and the user's sequence number that each online Portal client distributes, and the probability that arbitrary Portal client is assigned to same user's sequence number after reaching the standard grade for any twice is not more than predetermined value;

Preferably, Portal server shown in Fig. 4 also comprises: serial number assignment unit, after passing through for the authentication of reaching the standard grade in each Portal client, for each Portal client distributing user sequence number, and distributed user's sequence number is carried in authentication back message using and sends to corresponding Portal client.Concrete, a numerical value also, for for arbitrary Portal client, is selected at random, as user's sequence number of this Portal client in described serial number assignment unit in predetermined numerical space; Or the sequencing passing through for the authentication of reaching the standard grade according to each Portal client, distributes to each Portal client by the numerical value in predetermined numerical space, in turn as user's sequence number of each Portal client.

As shown in Figure 5, the Portal client that the present embodiment provides, comprising:

Processing unit rolls off the production line, for in the time that this Portal client need to roll off the production line, send to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include an IP address and the first user sequence number of the first authenticator, a Portal client, wherein, described first user sequence number is that described Portal server is the sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is less than predetermined value; Described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number;

In the time that first, second user's sequence number is identical, described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator be described Portal server in the time that described first, second user's sequence number is identical, according to predetermined digest algorithm, preset shared key and described predetermined field are carried out that digest calculations obtains.

Preferably, the Portal client shown in Fig. 5, also comprises:

< embodiment 2>

In the present embodiment, Portal client is in the time rolling off the production line, need first to sequence number that rolls off the production line of Portal server request, this sequence number that rolls off the production line is to distribute in turn each Portal client, that is, and and according to the order that rolls off the production line of each Portal client, sequence number in turn that distribute increases progressively or successively decreases in turn, and Portal server is the sliding window for anti-replay in local maintenance one also, utilize this sliding window to detect starting property of the request message that rolls off the production line.

As shown in Figure 6, the method for anti-replay-attack between Portal server and Portal client that the present embodiment provides, comprises the following steps:

Step 61, Portal client, in the time that needs roll off the production line, first sends a serial number request message for the sequence number of asking to roll off the production line to Portal server;

Step 62, after the serial number request message for the sequence number of asking to roll off the production line that Portal server receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn, and to each Portal client back message using that transmits Sequence Number respectively, in described sequence number back message using, carry the sequence number that rolls off the production line of distributing to corresponding Portal client.Like this, each Portal client that need to roll off the production line just can from sequence number back message using, extract Portal server be oneself distribute the sequence number that rolls off the production line.

Here, distributing in turn can be to increase progressively in turn distribution, as the sequencing that receives the good request message of sequence number of each Portal client is: Portal client 1, Portal client 2, Portal client 3 ..., be so Portal client 1, Portal client 2, Portal client 3 ... distribution roll off the production line sequence number respectively: n, n+1, n+2 ....The upper of numerical space that reaches pre-sizing at the sequence number that rolls off the production line distributing prescribed a time limit, and continues to start to loop distribution from the lower limit of numerical space.Here n is an integer.

Distributing in turn can also be the distribution of successively decreasing in turn, now for above-mentioned Portal client 1, Portal client 2, Portal client 3 ... distribution roll off the production line sequence number respectively: n, n-1, n-2 ....The lower of numerical space that reaches pre-sizing at the sequence number that rolls off the production line distributing prescribed a time limit, and continues to start to loop distribution from the upper limit of numerical space.

The size of above-mentioned numerical space can, according to actual application environment, be chosen as the number of Portal client terminal quantity, for example, get 2 ³²or 2 ⁶⁴conventionally can meet the demand of the anti-replay-attack in actual use.The present embodiment not concrete size in logarithm value space limits, even if this numerical space is less, according to the processing mode of the present embodiment, also can on certain probability, judge the message of Replay Attack, thus the Replay Attack of the request message that prevents to a certain extent rolling off the production line.

Step 63, the arbitrary Portal client (being assumed to be a Portal client) rolling off the production line take needs describes as example, the one Portal client rolls off the production line after back message using receiving, extract the sequence number that rolls off the production line (be assumed to be first roll off the production line sequence number) wherein carrying, then send to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include the first authenticator, the described first IP address of rolling off the production line sequence number and a Portal client, wherein, described the first authenticator is according to predetermined digest algorithm, the preset shared key that this locality is preserved and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first sequence number that rolls off the production line.

Here, described first in the request message that the roll off the production line sequence number that rolls off the production line first rolls off the production line within the sliding window scope of the anti-replay whether sequence number safeguard in described Portal server for judge this for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server;

Roll off the production line sequence number within described sliding window scope time described first, described the first authenticator rolling off the production line in request message is for offering described Portal server and the second authenticator compares, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described the second authenticator, according to predetermined digest algorithm, preset shared key and described predetermined field carried out that digest calculations obtains.

Step 64, Portal server receives described in a Portal client and rolls off the production line after request message, the first authenticator rolling off the production line described in extraction in request message, the first IP address of rolling off the production line sequence number and a Portal client, then judge that described first rolls off the production line sequence number whether within the sliding window scope of the anti-replay in local maintenance, to be respectively that described Portal server is current dispense at the two ends of described sliding window, and the maximum and the reckling that roll off the production line in sequence number of the Portal client not yet authenticating by rolling off the production line: if, enter step 65, otherwise enter step 67.

Step 65, Portal server is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out digest calculations, obtain the second authenticator, and judge that whether first, second authenticator identical: if so, enter step 66; Otherwise enter step 67.

Step 66, Portal server judge a described Portal client roll off the production line authentication pass through.After the authentication of rolling off the production line of a described Portal client is passed through, Portal server will slide accordingly to described sliding window, make the two ends of sliding window be respectively the maximum and the reckling that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of Portal server.After the authentication of rolling off the production line of a described Portal client is passed through, Portal server is also by according to the handling process of prior art, the relevant information that continuation and the mutual Portal client-requested of BAS roll off the production line, and receiving after the response message that BAS returns, return and be used to indicate the back message using that successfully rolls off the production line that rolls off the production line to a Portal client, the one Portal client receives that this rolls off the production line after back message using, thinks and oneself successfully rolls off the production line.

Here, after the authentication of rolling off the production line of a Portal client is passed through, Portal server may need described sliding window to carry out suitable sliding transfer, so that its two ends are corresponding with the maximum and the reckling that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line respectively.

Step 67, Portal server judges the authentification failure that rolls off the production line of a described Portal client, request message process ends roll off the production line described in now directly abandoning.

Can find out from above flow process, the roll off the production line sliding window of sequence number of the present embodiment utilization is verified starting property of message, with the Replay Attack of the request message that prevents from rolling off the production line.When utilizing the request message that rolls off the production line of certain Portal client of previous intercepting and capturing, assailant initiates Replay Attack; because the sequence number that rolls off the production line rolling off the production line in request message of resetting conventionally can be outside sliding window; to cause this request message that rolls off the production line to be dropped, attack proves an abortion.Even if it is the last sequence number that rolls off the production line distributing of Portal client that assailant has intercepted and captured Portal server, and use this sequence number that rolls off the production line to substitute the corresponding field rolling off the production line in request message of previously having intercepted and captured, Portal server still can detect by above-mentioned steps 65, therefore Portal server is in the time carrying out MD5 computing according to roll off the production line predetermined field (this predetermined field comprises the sequence number that rolls off the production line) in request message and preset shared key, can find that operation result is different from the authenticator carrying in this request message that rolls off the production line, therefore judge that this request message that rolls off the production line has occurred to distort, so still this is rolled off the production line, request message abandons.

Wherein, as shown in Figure 7, the Portal server that the present embodiment provides, comprising:

Preferably, Portal server shown in Fig. 7, also comprise: serial number assignment unit, for after the serial number request message for the sequence number of asking to roll off the production line that receives that each Portal client sends in the time need to rolling off the production line, according to the sequencing that receives described serial number request message, for each Portal client is distributed the sequence number that rolls off the production line in turn.

Wherein, as shown in Figure 8, the Portal client that the present embodiment provides, comprising:

Wherein, described first in the request message that the roll off the production line sequence number that rolls off the production line first rolls off the production line sequence number whether within the sliding window scope in the local anti-replay arranging of described Portal server for judge this for described Portal server, and the request message that rolls off the production line described in abandoning while being no in judged result; Wherein, the two ends of described sliding window are respectively the maximum and the recklings that roll off the production line in sequence number of the current Portal client having dispensed and not yet authenticate by rolling off the production line of described Portal server.

Roll off the production line sequence number within described sliding window scope time described first, described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, to be described Portal server roll off the production line sequence number when identical at described first, second to described the second authenticator, according to predetermined digest algorithm, preset shared key and described predetermined field carried out that digest calculations obtains.

In sum, in the method and apparatus of the anti-replay-attack that the embodiment of the present invention provides, Portal client is that client is distributed corresponding sequence number (as user's sequence number or the sequence number that rolls off the production line), and in verification process, utilize this sequence number to detect playback message rolling off the production line, thereby the Replay Attack of the request message that can effectively prevent from rolling off the production line, the fail safe that improves Portal Verification System.

The above is only embodiments of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims

1. a method that prevents Replay Attack between Portal server and Portal client of being carried out by Portal server, is characterized in that, comprising:

2. the method for claim 1, is characterized in that, also comprises:

3. method as claimed in claim 2, is characterized in that,

Describedly for each Portal client distributing user sequence number be:

4. method as claimed in claim 2, it is characterized in that, in described step C, after the authentication of rolling off the production line that judges a described Portal client is passed through, described Portal server is further deleted the corresponding relation between a described IP address and the described second user's sequence number of preserving in described mapping table.

5. by a method that prevents Replay Attack between Portal server and Portal client for Portal client executing, it is characterized in that, comprising:

The one Portal client is in the time that needs roll off the production line, send to Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include an IP address and the first user sequence number of the first authenticator, a Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is not more than predetermined value; Described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number;

6. method as claimed in claim 5, is characterized in that, before the request message that rolls off the production line described in sending, described method also comprises:

7. a Portal server, is characterized in that, comprising:

8. Portal server as claimed in claim 7, is characterized in that, also comprises:

9. Portal server as claimed in claim 8, is characterized in that,

10. a Portal client, is characterized in that, comprising:

Processing unit rolls off the production line, for in the time that this Portal client need to roll off the production line, send to described Portal server the request message that rolls off the production line, in the described request message that rolls off the production line, include the first authenticator, the one IP address and the first user sequence number of the one Portal client, wherein, described first user sequence number is that described Portal server is user's sequence number that a Portal client is distributed after a Portal client is reached the standard grade, and the probability that arbitrary Portal client is assigned to same user's sequence number by described Portal server at every turn after reaching the standard grade is not more than predetermined value, described the first authenticator is according to predetermined digest algorithm, to preset shared key and described in the predetermined field that rolls off the production line in request message carry out that digest calculations obtains, described predetermined field includes described first user sequence number,

11. Portal clients as claimed in claim 10, is characterized in that, also comprise:

The method of 12. 1 kinds of anti-replay-attacks between Portal server and Portal client, is characterized in that, comprising:

The method of 13. 1 kinds of anti-replay-attacks between Portal server and Portal client, is characterized in that, comprising:

The one Portal client is in the time that needs roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carry described Portal server and be a described Portal client distributes first sequence number that rolls off the production line, wherein, the distribution of the described sequence number that rolls off the production line is described Portal server according to the sequencing that receives the serial number request message that each Portal client sends, for each Portal client is distributed in turn;

Described the first authenticator rolling off the production line in request message is for comparing for described Portal server and the second authenticator, and in the time that first, second authenticator is identical, judge a described Portal client roll off the production line authentication pass through, request message rolls off the production line described in abandoning in the time that described first, second authenticator is not identical; Wherein, described the second authenticator is described Portal server described first while rolling off the production line within the sliding window scope of sequence number in described anti-replay, according to predetermined digest algorithm, preset shared key and described predetermined field is carried out that digest calculations obtains.

14. 1 kinds of Portal server, is characterized in that, comprising:

15. Portal server as claimed in claim 14, is characterized in that, also comprise:

16. 1 kinds of Portal clients, is characterized in that, comprising:

Serial number request unit, for in the time that this Portal client need to roll off the production line, send the serial number request message for the sequence number of asking to roll off the production line to Portal server, and receive the sequence number back message using that Portal server returns, in described sequence number back message using, carry described Portal server and be a described Portal client distributes first sequence number that rolls off the production line, wherein, the distribution of the described sequence number that rolls off the production line is the sequencing that described Portal server basis receives the serial number request message of each Portal client transmission, for each Portal client is distributed in turn,