CN102739659B - Authentication method for preventing replay attack - Google Patents

Authentication method for preventing replay attack Download PDF

Info

Publication number
CN102739659B
CN102739659B CN201210200262.3A CN201210200262A CN102739659B CN 102739659 B CN102739659 B CN 102739659B CN 201210200262 A CN201210200262 A CN 201210200262A CN 102739659 B CN102739659 B CN 102739659B
Authority
CN
China
Prior art keywords
time
data chain
application server
check information
way data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210200262.3A
Other languages
Chinese (zh)
Other versions
CN102739659A (en
Inventor
赵淦森
巴钟杰
李子柳
李惊生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
South China Normal University
GCI Science and Technology Co Ltd
Original Assignee
South China Normal University
GCI Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by South China Normal University, GCI Science and Technology Co Ltd filed Critical South China Normal University
Priority to CN201210200262.3A priority Critical patent/CN102739659B/en
Publication of CN102739659A publication Critical patent/CN102739659A/en
Application granted granted Critical
Publication of CN102739659B publication Critical patent/CN102739659B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses an authentication method for preventing a replay attack. The method comprises the following steps of transmitting an authentication evidence and service requests to an application server, wherein the authentication evidence is acquired from a login authentication server by a client side and is provided with a first time stamp; identifying the sequence of the user requests by using a unidirectional data chain; calculating the time difference between the current time and the first time stamp at the login authentication server end; packaging a judging result, the time difference and a unidirectional data chain value into verification information; and transmitting the verification information to the application server, wherein the application server judges whether the verification information is replay information or not according to the received unidirectional data chain value, and furthermore, whether the service requests are authenticated within effective time or not can be judged according to the time difference and the judging result. Time is not required to be synchronous, so that the complexity of the system or a protocol is avoided, and the delay caused by synchronization of time is also avoided. The probability that the user requests undergo the replay attack is avoided through the application of the unidirectional data chain.

Description

A kind of authentication method of anti-replay-attack
Technical field
The present invention relates to communications system authentication field, especially a kind of authentication method of anti-replay-attack.
Background technology
Replay Attack (Replay Attacks) attacks (Freshness Attacks) also known as replay attack, replay attack or freshness, refer to the bag that assailant sends a destination host and received, reach the object of fraud system, be mainly used in authentication procedures, destroy the correctness of certification.Replay Attack constantly can repeat an effective transfer of data in malice or rogue ground, and assailant utilizes network monitoring or other modes to steal certification authority, again it is issued certificate server again afterwards, to destroy the fail safe of certification.Such as intercept and capture cookie by monitoring http transfer of data or other modes and submit to cookie to be exactly a kind of Replay Attack, easily can copy others' cookie thus obtain corresponding certification authority.
In order to avoid server suffers Replay Attack, the general defense mechanism adopted based on time judgement in prior art, and in order to ensure that different server directly can identify that whether the message received expired, timestamp plays the part of an important role wherein, because mark one side of timestamp and a side of receipt message can exist regular hour difference problem, generally can adopt IEEE1588 Precision Time Protocol (Precision Time Protocol, PTP), or loose time synchronizing method carry out time synchronized.According to special time synchronization protocol, may cause communication protocol or system more complicated, to increase the unsteadiness of system; According to loose time synchronizing method, namely by carrying out three-way handshake between two services, then server calculates the time maximum difference between them, then need system or agreement can stand the delay of certain hour or asynchronous problem, but in some system or agreement this delay or asynchronous be unallowed.
Summary of the invention
The technical problem to be solved in the present invention is: the authentication method providing a kind of synchronous anti-replay-attack that do not take time, the method increases the fail safe of Verification System.
In order to solve the problems of the technologies described above, the technical solution adopted in the present invention is:
An authentication method for anti-replay-attack, comprises the following steps:
Client sends login request message to login authentication server;
Login authentication server generates the certification authority of the very first time stamp comprising mark current time to client;
Client sends service request, from the certification authority of login authentication server and the one-way data chain value that oneself generates to application server;
The information comprising certification authority and one-way data chain value is sent to login authentication server by application server;
Login authentication server judges the correctness of described certification authority and calculates the time difference that current time and the very first time stab, and is packaged into check information sends to application server by being used for the result of determination of the correctness proving the certification authority whether user has logged in, described time difference and the one-way data chain value that receives;
Application server receives check information, judges whether the one-way data chain value received is up-to-date one-way data chain value, is then judged to be message playback if not, directly abandons this verification message; If then carry out service response according to check information to the service request of client.
Be further used as preferred embodiment, described application server carries out service response according to check information to the service request of client and comprises the following steps:
Time difference in check information was compared with the effective time of setting, judges whether the time difference is greater than the effective time of setting, if then abandon this check information; Then perform next step if not;
Judge that whether result of determination is correct, if certification authority correctly, perform service response, then abandon this check information if not.
Be further used as preferred embodiment, the effective time of described setting is from application server end.
Be further used as preferred embodiment, the effective time of described setting is from login authentication server end.
Be further used as preferred embodiment, the effective time of described setting can artificially adjust.
The invention has the beneficial effects as follows: the authentication method of anti-replay-attack of the present invention, when the verification to the Service Ticket term of validity, it not the time difference at application server end verification Service Ticket, but login authentication server end is transferred in the verification of the Service Ticket term of validity, because the very first time stamp on Service Ticket is produced by login authentication server, adopt the time of login authentication server local side to stab with the very first time to compare when verifying the term of validity of Service Ticket, ensure that the accuracy of verification, the time of application server and login authentication server is not needed to carry out synchronously, ensure that the legitimate service request of user is not by the possibility of Replay Attack further by one-way data chain.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described further:
Fig. 1 is the flow chart of steps of the authentication method of anti-replay-attack of the present invention;
Fig. 2 is the flow chart of steps that in the authentication method of anti-replay-attack of the present invention, application server carries out service response preferred embodiment to the service request of client according to check information;
Fig. 3 is the schematic diagram of the authentication method application scenarios of anti-replay-attack of the present invention;
Fig. 4 is the application schematic diagram of one-way data chain of the present invention.
Embodiment
With reference to Fig. 1, a kind of authentication method of anti-replay-attack, comprises the following steps:
Client sends login request message to login authentication server;
Login authentication server generates the very first time stamp Time comprising mark current time signOncertification authority to client;
Client sends service request, from the certification authority of login authentication server and the one-way data chain value that oneself generates to application server;
The information comprising certification authority and one-way data chain value is sent to login authentication server by application server;
Login authentication server judges the correctness of described certification authority and calculates current time Time currenttime is stabbed with the very first time signOntime difference, be packaged into check information send to application server by being used for the result of determination of the correctness proving the certification authority whether user has logged in, described time difference and the one-way data chain value that receives;
Application server receives check information, judge whether the one-way data chain value received is up-to-date one-way data chain value, above-mentioned deterministic process is specially: the one-way data chain value received is carried out hash function operation, judge that whether the result that hash function draws is consistent with the one-way data chain value of application server for storage, if consistent, according to check information, service response is carried out to the service request of client, and the Data-Link value received is preserved the one-way data chain value of replacing original storage; Then be judged to be message playback if not, directly abandon this verification message.Application server first customer in response end send service request time, the one-way data chain value received is up-to-date one-way data chain value, therefore directly store on the application server, in follow-up service response, application server all needs the one-way data chain value in check information to be carried out hash function operation and compares with the one-way data chain value stored, judge whether the one-way data chain value received is up-to-date one-way data chain value, to avoid the Replay Attack of client-side service request.
With reference to Fig. 4, one-way data chain (One-Way Chains), also known as hash chain, is a kind of cryptoguard scheme in insecure environments, but in the present invention, uses this mechanism to the playback of the service request information preventing client from sending.Fig. 4 gives formation structure and the application structure of one-way data chain, and one-way data chain is generated by unidirectional execution one-way function (also claiming hash function) F repeatedly, and one-way function F algorithm is irreversible, can generate multistage one-way data chain value S like this i, i.e. F (S i)=S i-1, and F i(S i)=S 0.During due to application, to S ichoosing of value is sequentially just contrary with the order that this Data-Link generates, even if therefore third party has stolen a certain one-way data chain value applied, also cannot learn the one-way data chain value after renewal, thus cannot carry out Replay Attack to authentication message.The service request information that application server of the present invention utilizes one-way data chain can ensure that client sends is reliable, and non-Replay Attack produces.
Be further used as preferred embodiment, with reference to Fig. 2, described application server carries out service response according to check information to the service request of client and comprises the following steps:
Time difference in check information was compared with the effective time of setting, judges whether the time difference is greater than the effective time of setting, if then abandon this check information; Then perform next step if not;
Judge that whether result of determination is correct, if certification authority correctly, perform service response, then abandon this check information if not.
Be further used as preferred embodiment, the effective time of described setting, the effective time of such as this setting can read from the internal memory of application server from application server end.
Be further used as preferred embodiment, the effective time of described setting is from login authentication server end, the effective time of such as this setting is included in the check information of encapsulation, application server can read from check information, this ensure that the value of the effective time preset the adjustment of login authentication server end.
Be further used as preferred embodiment, the effective time of described setting can artificially adjust, to adapt to different application scenarios.
Fig. 3 is the schematic diagram of the authentication method application scenarios of anti-replay-attack of the present invention;
S1: client sends logging request to login authentication server;
S2: login authentication server sends login response to client, and login response is the certification authority generated at login authentication server end, this certification authority comprises the very first time stamp Time of mark current time signOn, also comprise other information for certification, such as check code etc., whether login successfully with identifying user;
S3: user sends service request to application server by client, this service request comprises simultaneously and includes very first time stamp Time signOncertification authority and one-way data chain value etc.; Subscription client self maintained an one-way data chain (One-Way Chains) and its up-to-date chain value, such as up-to-date chain value S 12;
S4: application server is by certification authority and one-way data chain value S 12login authentication server is sent to etc. relevant information etc.; The one-way data chain value S of checking last time preserved by application server self 11;
S5: login authentication server carries out judgement according to the authentication information stored to the correctness of certification authority and generates result of determination, and this result of determination for proving whether user logs in, and calculates the current time Time of self currenttime is stabbed with the very first time signOntime difference, by result of determination, time difference and one-way data chain value S 12be packaged into check information and send to application server;
S6: application server receives check information, judges the one-way data chain value S received 12whether be up-to-date one-way data chain value, namely to one-way data chain value S 12carry out hash function operation, judged result whether with the one-way data chain value S stored 11unanimously, then this verification message is directly abandoned if not; If then continue to read the result of determination in check information and time difference, if service request authentication success within the effective time of setting, then application server carries out service response.The one-way data chain value stored at application server end can be updated to S 12.Even if listener-in smells and visits one-way data chain value S like this 12, due to up-to-date one-way data chain value S cannot be derived 13, thus avoid Replay Attack.
The authentication method of anti-replay-attack of the present invention, very first time stamp on certification authority is compared with the local zone time generating the login authentication server that this very first time stabs, thus save the trouble of time synchronized, not only avoid the complexity of system or agreement but also evaded the delay that time synchronized causes, ensure that the legitimate service request of user is not by the possibility of Replay Attack by application one-way data chain.
More than that better enforcement of the present invention is illustrated, but the invention is not limited to described embodiment, those of ordinary skill in the art can also make all equivalent variations or replacement under the prerequisite without prejudice to spirit of the present invention, and these equivalent distortion or replacement are all included in the application's claim limited range.

Claims (3)

1. an authentication method for anti-replay-attack, is characterized in that, comprises the following steps:
Client sends login request message to login authentication server;
Login authentication server generates the certification authority of the very first time stamp comprising mark current time to client;
Client sends service request, from the certification authority of login authentication server and the one-way data chain value that oneself generates to application server;
The information comprising certification authority and one-way data chain value is sent to login authentication server by application server;
Login authentication server judges the correctness of described certification authority and calculates the time difference that current time and the very first time stab, and result of determination, described time difference and the one-way data chain value that receives is packaged into check information and sends to application server;
Application server receives check information, judges whether the one-way data chain value received is up-to-date one-way data chain value, is then judged to be message playback if not, directly abandons this check information; If then carry out service response according to check information to the service request of client, described application server carries out service response according to check information to the service request of client and comprises the following steps:
Time difference in check information was compared with the effective time of setting, judges whether the time difference is greater than the effective time of setting, if then abandon this check information; Then perform next step if not;
Judge that whether result of determination is correct, if certification authority correctly, perform service response, then abandon this check information if not, the effective time of described setting is from application server end.
2. the authentication method of a kind of anti-replay-attack according to claim 1, is characterized in that: the effective time of described setting is from login authentication server end.
3. the authentication method of a kind of anti-replay-attack according to claim 2, is characterized in that: the effective time of described setting can artificially adjust.
CN201210200262.3A 2012-06-16 2012-06-16 Authentication method for preventing replay attack Active CN102739659B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210200262.3A CN102739659B (en) 2012-06-16 2012-06-16 Authentication method for preventing replay attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210200262.3A CN102739659B (en) 2012-06-16 2012-06-16 Authentication method for preventing replay attack

Publications (2)

Publication Number Publication Date
CN102739659A CN102739659A (en) 2012-10-17
CN102739659B true CN102739659B (en) 2015-07-08

Family

ID=46994443

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210200262.3A Active CN102739659B (en) 2012-06-16 2012-06-16 Authentication method for preventing replay attack

Country Status (1)

Country Link
CN (1) CN102739659B (en)

Families Citing this family (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140143885A1 (en) * 2012-11-20 2014-05-22 Ati Technologies Ulc Firmware-implemented software licensing
CN104025549B (en) 2012-12-18 2017-04-05 英特尔公司 Postpone the related technology of information to server transaction
WO2014110775A1 (en) 2013-01-18 2014-07-24 Hewlett-Packard Development Company, L.P. Preventing a memory attack to a wireless access point
US20150358347A1 (en) * 2013-01-18 2015-12-10 Yongqiang Liu Preventing an input/output blocking attack to a wireless access point
CN103269256B (en) * 2013-05-10 2016-05-04 卡斯柯信号有限公司 The ageing analysis method of message in safe coding communication system
WO2015103302A1 (en) * 2013-12-31 2015-07-09 Vasco Data Security, Inc. A method and apparatus for providing client-side score-based authentication
CN104092697B (en) * 2014-07-18 2017-09-15 新华三技术有限公司 A kind of time-based anti-replay method and device
CN105119884A (en) * 2015-07-10 2015-12-02 深圳市美贝壳科技有限公司 Method for verifying authority of network communication user
CN105635139B (en) * 2015-12-31 2019-04-05 深圳市安之天信息技术有限公司 A kind of method and system of the document security operation and analysis of anti-spilled attack
CN105516186B (en) * 2015-12-31 2019-07-23 华为技术有限公司 A kind of method preventing Replay Attack and server
US9948673B2 (en) * 2016-05-26 2018-04-17 Visa International Service Association Reliable timestamp credential
CN107623667B (en) * 2016-07-15 2020-05-22 腾讯科技(深圳)有限公司 Data playback judging method and device
CN107835145B (en) * 2016-09-21 2019-12-31 炫彩互动网络科技有限公司 Method for preventing replay attack and distributed system
CN106548080A (en) * 2016-10-28 2017-03-29 鄢碧珠 A kind of remote data storage method
CN106570378A (en) * 2016-10-28 2017-04-19 鄢碧珠 System for improving storage security of user
CN106506635A (en) * 2016-10-28 2017-03-15 郑建钦 A kind of portable method for cloud storage
CN106570415A (en) * 2016-10-28 2017-04-19 郑建钦 Remote end data storage system
CN106909953B (en) * 2017-03-02 2020-03-13 重庆砖家宝网络科技发展有限公司 Timestamp label printing method and system
CN108540513B (en) * 2017-03-03 2021-08-13 中国移动通信集团福建有限公司 Method and device for judging request replay attack
CN109756460B (en) * 2017-11-06 2021-07-09 中移(杭州)信息技术有限公司 Replay attack prevention method and device
CN108809991A (en) * 2018-06-15 2018-11-13 北京云枢网络科技有限公司 A method of the client side verification based on SDK dynamic watermarks
CN109379193B (en) * 2018-12-06 2021-06-29 佛山科学技术学院 Dynamic replay attack prevention authentication method and device
CN110166471A (en) * 2019-05-28 2019-08-23 杭州迪普科技股份有限公司 A kind of portal authentication method and device
CN110890960B (en) * 2019-11-16 2023-04-18 杭州安恒信息技术股份有限公司 Data replay attack identification and protection method based on multiple verification mechanisms
CN111259296B (en) * 2020-01-14 2023-03-10 武汉极意网络科技有限公司 Method and system for ensuring ordering of Web resource requests
CN111654451B (en) * 2020-05-13 2023-03-28 南京南瑞继保电气有限公司 Message anti-replay method and electronic equipment
CN112367329B (en) * 2020-11-17 2023-05-02 北京知道创宇信息技术股份有限公司 Communication connection authentication method, device, computer equipment and storage medium
CN112711759A (en) * 2020-12-28 2021-04-27 山东鲁能软件技术有限公司 Method and system for preventing replay attack vulnerability security protection
CN113612795A (en) * 2021-08-18 2021-11-05 广州科语机器人有限公司 Replay attack judgment method, Internet of things equipment, electronic equipment and storage medium
CN114124374A (en) * 2021-11-10 2022-03-01 郭胜群 Communication anti-replay method and system
CN114614969B (en) * 2022-03-15 2024-03-01 东北林业大学 Method for judging and coping attack type in information physical system, electronic equipment and storage medium
CN115065553A (en) * 2022-07-27 2022-09-16 远江盛邦(北京)网络安全科技股份有限公司 Single package authentication method and device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1897523A (en) * 2006-06-26 2007-01-17 北京金山软件有限公司 System and method for realizing single-point login
CN101083530A (en) * 2007-07-13 2007-12-05 北京工业大学 Method for realizing intra-mobile entity authentication and cipher key negotiation using short message
CN102457482A (en) * 2010-10-19 2012-05-16 成都市华为赛门铁克科技有限公司 Authentication method, apparatus and system thereof

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6711677B1 (en) * 1999-07-12 2004-03-23 Hewlett-Packard Development Company, L.P. Secure printing method
US7116668B2 (en) * 2001-10-09 2006-10-03 Telefunaktiebolaget Lm Ericsson (Publ) Method for time stamp-based replay protection and PDSN synchronization at a PCF
US7926103B2 (en) * 2003-06-05 2011-04-12 Hewlett-Packard Development Company, L.P. System and method for preventing replay attacks
US8413248B2 (en) * 2006-03-22 2013-04-02 Michael B. Rash Method for secure single-packet remote authorization
CN101394284B (en) * 2008-11-13 2011-01-19 四川长虹电器股份有限公司 One-time password authentication method
CN101459516B (en) * 2009-02-20 2010-12-08 浙江工业大学 Dynamic password safe login method
CN102035801B (en) * 2009-09-28 2014-05-14 西门子(中国)有限公司 Method and device for preventing attack

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1897523A (en) * 2006-06-26 2007-01-17 北京金山软件有限公司 System and method for realizing single-point login
CN101083530A (en) * 2007-07-13 2007-12-05 北京工业大学 Method for realizing intra-mobile entity authentication and cipher key negotiation using short message
CN102457482A (en) * 2010-10-19 2012-05-16 成都市华为赛门铁克科技有限公司 Authentication method, apparatus and system thereof

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"基于生物特征的鲁棒远程用户认证方案";张韶远等;《计算机工程》;20120205;第38卷(第3期);第137-138页 *
"增强型相互认证密钥协商方案";戚世杰等;《计算机工程》;20120105;第38卷(第1期);第108-110页 *

Also Published As

Publication number Publication date
CN102739659A (en) 2012-10-17

Similar Documents

Publication Publication Date Title
CN102739659B (en) Authentication method for preventing replay attack
CN107395312B (en) A kind of secure network method for synchronizing time and device
CN102647461B (en) Communication means based on HTTP, server, terminal
CN102130915B (en) Clock-based replay protection
CN105681470B (en) Communication means, server based on hypertext transfer protocol, terminal
US20170126410A1 (en) Method of providing a hash value for a piece of data, electronic device and computer program
CN102624740A (en) Data interaction method, client and server
RU2530691C1 (en) Method for protected remote access to information resources
KR20140052031A (en) A method and apparatus for secure trusted time techniques
CN112436940B (en) Internet of things equipment trusted boot management method based on zero-knowledge proof
CN105025041A (en) File upload method, file upload apparatus and system
CN107819789A (en) A kind of content anti-hijack system and method based on block chain
CN109714370B (en) HTTP (hyper text transport protocol) -based cloud security communication implementation method
CN111080299B (en) Anti-repudiation method for transaction information, client and server
CN111884811B (en) Block chain-based data evidence storing method and data evidence storing platform
CN102739626A (en) Method and device for time synchronization, time stamping device and trusted time server
US10862690B2 (en) Technique for handling data in a data network
CN111831974A (en) Interface protection method and device, electronic equipment and storage medium
WO2015096905A1 (en) A method and apparatus for detecting that an attacker has sent one or more messages to a receiver node
Annessi et al. SecureTime: Secure multicast time synchronization
US20160301718A1 (en) Method and system for synchronization of two databases in a lawful interception network by comparing checksum values
CN113434474A (en) Flow auditing method, equipment and storage medium based on federal learning
JP3963315B2 (en) Time authentication method, time authentication request program, and time authentication request device
CN102761560B (en) Method and system for verifying information integrity
CN102315996A (en) Network admission control method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant