CN104038344B - Identity authentication method based on regular expression - Google Patents
Identity authentication method based on regular expression Download PDFInfo
- Publication number
- CN104038344B CN104038344B CN201410275481.7A CN201410275481A CN104038344B CN 104038344 B CN104038344 B CN 104038344B CN 201410275481 A CN201410275481 A CN 201410275481A CN 104038344 B CN104038344 B CN 104038344B
- Authority
- CN
- China
- Prior art keywords
- regular expression
- character string
- random
- string
- character
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 230000014509 gene expression Effects 0.000 title claims abstract description 114
- 238000000034 method Methods 0.000 title claims abstract description 31
- 239000012634 fragment Substances 0.000 claims description 24
- 230000005540 biological transmission Effects 0.000 claims description 2
- 239000000284 extract Substances 0.000 claims description 2
- 238000004321 preservation Methods 0.000 claims description 2
- 230000011218 segmentation Effects 0.000 claims description 2
- 238000010200 validation analysis Methods 0.000 claims description 2
- 238000011017 operating method Methods 0.000 claims 2
- 235000014510 cooky Nutrition 0.000 description 8
- 230000003068 static effect Effects 0.000 description 3
- 230000007812 deficiency Effects 0.000 description 2
- 235000013399 edible fruits Nutrition 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 210000004247 hand Anatomy 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Document Processing Apparatus (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to an identity authentication method based on regular expression, belongs to the Web safety field and specifically relates to a method for identifying the identity of a user by dynamically generating a character string conforming to a certain rule by use of a regular expression formula so that a server is capable of identifying the identity of the user by use of the character string in the user access process and thus preventing hijack attacks of an intermediary. The method comprises an automatic regular expression formula generation module completed at a server side, a random character string generation module completed at a client side, an identity authentication module for authenticating by using different character strings on the side of users; the server is capable of matching the character strings by use of the previously generated regular expression formula, and either full-character matching or no repetition of previous character strings is guaranteed, and therefore, the hijack attacks of the intermediary can be effectively prevented.
Description
Technical field
A kind of auth method based on regular expression of the present invention, belongs to Web security fields, and in particular to Yi Zhongtong
Cross regular expression dynamic and generate and meet the character string of certain rule and carry out identifying user identity so that server is accessed in user
During can verify user identity using dynamic character string, effectively prevent the auth method of go-between's hijack attack.
Background technology
With the maturation of Web2.0 application technologies, also emerged in an endless stream based on the new opplication of Web2.0, individualized, self-organizing
More main flow.The convenience of network causes many users that work and the part lived are placed on and are processed on the net, for example:
Shopping, company management etc..But the report frequently attacked for Web leaks in recent years makes us have to more consider Web
Using safety problem.According to OWASP (The Open Web Application Security Project) Top in 2013
Show in 10 report, XSS attack and authentication are attacked and still enlivened very much.In XSS and authentication are attacked, mainly
By stealing the user Cookies produced in Website login and SessionID, the identity for then forging user is operated
User account, to steal more personal informations even personal property.
For current mostly website, the preservation of the authentication state of user is also only limitted to by preserve User logs in it
Static strings produced by server are carrying out the fields such as authentication, such as Cookies, SessionID afterwards.Although now
Cookies adds effective time, and after a period of time, the Cookies fails, and user needs to log in again to be carried out again
Obtain, so go-between's hijack attack effectively can be defendd, but attacker also can be effective in Cookies
The personal information of user is obtained in time, therefore login authentication is carried out to user using static character string and cannot be avoided
The stolen risk of the authentication string.
Regular expression be one for describing or matching a series of patterns for meeting certain grammatical ruless character string,
In routine work, using it is most be using regular expression processing to character string, in long character string matching or
Acquisition meets the character string of certain rule.And people usually have ignored the other function of regular expression, canonical engine is to use
DFA (deterministic stresses) and NFA (non-deterministic finite automaton) matching to regular expression, while we
The character string for meeting regularity can be generated according to the expression formula.And regular expression can be matched and a series of meet this
The character string of rule, equally, same regular expression can generate a series of character strings for meeting the regular expression, this
Sample can be with using the dynamic generation character string of regular expression.
The content of the invention
The technical problem to be solved in the present invention is the above-mentioned deficiency for overcoming prior art, there is provided a kind of to be based on regular expressions
The dynamic ID verification method of formula, carrys out identifying user with static strings Cookies and SessionID and its steps on for traditional
The deficiency of record state and regular expression dynamic can generate a series of character strings to verify user identity, effectively prevent go-between
The auth method of hijack attack.
The invention provides following technical scheme:
A kind of auth method based on regular expression, can be divided into three modules:Regular expression is automatically generated
Module, random string generation module and authentication module, the module are run as steps described below:
(1) regular expression generation module carrying out practically mode is as follows:
Regular expression generation module is completed in server end, after user's Website login success in a secure manner,
Server will automatically generate a regular expression and be associated with the account, in the present invention, the automatic life of regular expression
Into being to carry out randomly selecting combination using some regular expression fragments finished writing, the combination is completed at random, is passed through
It is random to obtain regular expression number of fragments, then fragment is extracted in data base according to acquisition quantity, then mixed
Combination produces complete regular expression.For example:Server end preserves such canonical fragment:[ab5@]、[^abc]、[f-
K], [.], [0-9], [A-Za-z d], { 0,3 }, { 9 }, { 2,6 } etc., 4 therein can be extracted (wherein comprising 2 qualifiers
Fragment and 2 non-limiting FUPIAN sections) producing a regular expression:[^abc] { 0,3 } [0-9] { 2,6 }, this expression formula
Mean character string of 0 to 3 characters in addition to abc plus the numeral of 2 to 60 to 9.For another example some complicated examples:In clothes
There is such fragment in business device:[ab5], [^abc], [f-k], [.], [0-9], [A-Za-z d], [% 3&], [0-9a-fA-
F], { 0,7 } ,+, { 7 }, *, { 3,7 }, { 2, * }, produce regular expression when can just produce expression formula so:[ab5@]
{ 0,7 } [0-9] *, such expression formula just can produce character string so in client:Ab1234 or aa@5998 etc., from
Construction above will not produce identical character string during you access webpage finding out such regular expression.These examples
The simply sub-fraction in regular expression, the fragment of regular expression can have a lot, the regular expressions for once combining out
Formula also has many kinds, and can also be combined at random during combination, therefore is difficult to produce phase in middle-size and small-size website
Same regular expression.Exist if what server was returned is not the regular expression that randomly generates but in data base
, return identical regular expression just probably to user, thus there may exist attacker in data base just
Then by statistical analysiss or violence being cracked;
(2) the generation module carrying out practically mode of random string is as follows:
The module is the js returned using server after server end returns a regular expression by secured fashion
Code is completed, and carry out morphology and syntactic analysiss to produce by the regular expression for returning service end meets the expression formula
Character string, and must all produce the service end that new character string sends in each requests for page or when sending data and enter
Row checking, such as:When the regular expression that service end is returned is:^1 (3 [4-9] | 5 [012789] | 8 [78]) d { 8 } $, the table
To produce 11 phone numbers up to formula, thus after login first time requests for page when to produce the handss of 11
Machine number is such as:13846658975, will produce when second requests for page one with before different 11
Phone number carries out checking and can pass through, so needing the character string to having generated to delay in text string generation module
Deposit, to ensure that it is different to produce character every time and change;
(3) identities match authentication module carrying out practically mode is as follows:
Authentication module is completed in service end, and first time authentication is by user input user name and close
Code, this process need to interact by way of safety, after server returns the regular expression for generating, Yong Huyu
The interaction of website just can be transmitted in the way of non-security, it is also possible to avoid go-between's hijack attack.User logs in it
Character string during page request just using client according to produced by the regular expression that server sends is verified afterwards,
The character string can be put in the field of Cookies in order to easy to verify, when user's request is sent to server, server
Extract the character string and Cookies to be verified, matched with the regular expression generated before server, if returned
The character string returned meets the regular expression rule in server, and it is the user having logged on that server is considered as the user, so
Afterwards the character field is put in matched character repertoire, in matching process afterwards, if the character string for having occurred is again
It is secondary to send requests for page, will need to log in again by not authentication, thus can effectively avoid go-between's misfortune
Hold attack.
Compared with prior art, a kind of beneficial effect of the auth method based on regular expression of the present invention is:
1st, the present invention is capable of a series of character string of uniform rules of dynamic generation using regular expression, by regular expressions
Formula is matched and is verified, effectively avoids go-between's hijack attack;
2nd, the method that the present invention uses matching regular expressions, can come one regular expression of transmission when logging in
Dynamic authentication is carried out repeatedly, in the case where regular expression is not acquired, dynamic character string is extremely difficult to be forged out
Come;
3rd, server end of the present invention is verified using the mode of matching regular expressions, compared with former SessionID
String matching, the method are more rapid, fast.
Description of the drawings
Fig. 1 is General Implementing flow chart;
Fig. 2 is regular expression product process figure;
Fig. 3 is random string product process figure;
Fig. 4 is authentication module flow chart.
Specific embodiment
1-4 and specific embodiment are to a kind of auth method based on regular expression of the present invention below in conjunction with the accompanying drawings
It is further described.
A kind of embodiment of the auth method based on regular expression of the present invention is not limited to following examples, not
The various change made on the premise of departing from present inventive concept is belonged within protection scope of the present invention.
Embodiment 1
Below in conjunction with the drawings and the specific embodiments to a kind of auth method based on regular expression of the present invention
It is further described.
Identity identifying method described in a kind of auth method based on regular expression of the present invention includes three mainly
Module:Regular expression automatically-generating module, random string automatically-generating module and authentication module;
Regular expression automatically-generating module concrete operation step is:
The first step:After user login validation success, one is produced by program and is more than 10 and random even number less than 20,
Random even number requires testing to determine that, if random number is excessive, the regular expression being generated as is excessively complicated, so will result in
It is complex when client generates character string according to the regular expression, and cause the page to postpone or seemingly-dead phenomenon.Should be with
Machine number must be that even number N (is write, it is assumed here that for convenience for 4), generally regular expression is by not comprising limit
Surely accord with field and qualifier field to constitute, taking even number can make both compare balance, if odd number, can produce qualifier word
Section is more than without qualifier field, so will result in the regular expression mistake of generation;
Second step:According to the random even number N that the first step is produced, take out (1/2) * N number of (i.e. 2) and just do not including qualifier
Then expression formula fragment further takes out (1/2) * N number of (i.e. 2 as found out [^abc], [0-9] fragment by canonical fragment above
It is individual) the regular expression fragment comprising qualifier is such as:{ 0,3 }, { 2,6 };
3rd step:First the regular expression fragment comprising qualifier is put at character string dimension odd number at random;
4th step:Then regular expression not comprising qualifier is put into from the beginning of No. 0, at random the idol of character string dimension
At numerical digit;Such regular expression is produced thus:[^abc] { 0,3 } [0-9] { 2,6 }.
5th step:Then the fragment of the regular expression in the character string dimension is connected into into a complete character string, just
Form a complete regular expression:[^abc] { 0,3 } [0-9] { 2,6 };
6th step:Add before and after the regular expression and start qualifier (^) and ending qualifier ($), limit word
The beginning and end character of symbol string, the method cracked with preventing attacker from using force;
7th step:Finally the regular expression is returned in a secured manner to user;
Random string automatically-generating module concrete operation step is:
The first step:Receiving after server sends the regular expression returned for example:^ [^abc] { 0,3 } [0-9] { 2,6 }
$, removes beginning and end delimiter first, carries out piecemeal to complete regular expression, with ' } ' character enters to regular expression
Row segmentation, is put in character string dimension Array;
Second step:Element in one Array of traversal, with ' { ' and ' } ' is divided into character string:" [^abc] ", " 0,
3 ", " [0-9] ", " 2,6 " character string dimension;
3rd step:Fragment correspondence random string such as [^abc] is generated according to canonical fragment before regularity to produce
Raw all characters in addition to abc;
4th step:According to the restriction numeral in qualifier expression formula below, produce in the restriction numeral and limit random number M
(if being 2), circulates M time to produce the random words for meeting that non-limiting symbol canonical fragment and qualifier expression formula are limited to the 3rd step
Symbol string, it is possible to produce as the character string of h@;
5th step:If Array character string dimensions also have data, second step is will jump to;
6th step:It is more than circulation that four steps can just produce picture:Character string as h@458.The random string that will be generated
Compare with the character string in caching, if identical character string has been generated, jump to the first step and regenerate, such as
Fruit does not have, then export the character string;
Random string authentication module concrete operation step is:
The first step:After the random string for extracting user's return for example:H@458, are extracted and are associated with user
Regular expression:[^abc] { 0,3 } [0-9] { 2,6 };
Second step:The random string and the regular expression are matched, the 3rd step is jumped to if the match is successful, such as
Fruit matches unsuccessful, jumps to the 5th step;
3rd step:Then duplicate checking will be carried out to the character string, the character will be searched whether in the character string of matched mistake
String had been used, and jumps to the 5th step, jump to the 4th step if not using if having used;
4th step:The character string is preserved, the page asked by user is returned;
5th step:Checking is unsuccessful, returns login page.
A kind of auth method based on regular expression of the present invention is not limited to aforesaid specific embodiment.This
Invention expands to any new feature for disclosing in this manual or any new combination, and the arbitrary new method that discloses or
The step of process or any new combination.
Claims (4)
1. a kind of auth method based on regular expression, which includes three main modulars:Regular expression is automatically generated
Module, random string automatically-generating module and authentication module, it is characterised in that:Above-mentioned regular expression automatically generates mould
Block, random string automatically-generating module and authentication module are carried out as follows:
(1) regular expression automatically-generating module operating procedure is:
The first step:After user login validation success, one is produced by program and be more than 10 and random even number N less than 20;
Second step:According to the random even number N that the first step is produced, the N number of regular expression pieces not comprising qualifier of (1/2) * are taken out
Section, further takes out the N number of regular expression fragments comprising qualifier of (1/2) *;
3rd step:First the regular expression fragment comprising qualifier is put at the odd bits of character string dimension at random;
4th step:Then the regular expression fragment not comprising qualifier is started to be put into the idol of character string dimension at random from No. 0
At numerical digit;
5th step:Then the regular expression fragment in the character string dimension is connected into into a complete character string, just forms one
Individual complete regular expression;
6th step:Add before and after the regular expression and start qualifier (^) and ending qualifier ($);
7th step:Finally the regular expression is returned in a secured manner to user;
(2) random string automatically-generating module operating procedure is:
The first step:After the regular expression that server transmission is returned is received, remove beginning and end delimiter first, to complete
Regular expression carry out piecemeal, with ' } ' character splits to regular expression, is put in character string dimension Array;
Second step:Element in one Array of traversal, with ' { ' element is split;
3rd step:According to non-limiting symbol canonical fragment with regular expression rule generating the corresponding random string of the fragment;
4th step:According to the restriction numeral in segmentation below qualifier expression formula, produce in the restriction numeral and limit random number
M, circulates M time to produce the random string for meeting that non-limiting symbol canonical fragment and qualifier expression formula are limited to the 3rd step;
5th step:If Array character string dimensions also have data, second step is will jump to;
6th step:The random string of generation is compared with the character string in caching, if identical character string
Generation then jumps to the first step and regenerates, if it is not, exporting the character string;
(3) random string authentication module concrete operation step is:
The first step:After the random string for extracting user's return, the regular expression being associated with user is extracted;
Second step:The random string and the regular expression are matched, the 3rd step is jumped to if the match is successful, if
With unsuccessful, the 5th step is jumped to;
3rd step:Then duplicate checking will be carried out to the character string, the character string searched whether in the character string of matched mistake
Jing was used, and jumped to the 5th step if having used, and jumped to the 4th step if not using;
4th step:The character string is preserved, the page asked by user is returned;
5th step:Checking is unsuccessful, returns login page.
2. according to a kind of auth method based on regular expression described in claim 1, it is characterised in that:Server
The regular expression at end is formed by each complete regular expression fragment random combine, and which is by delimiter expression formula and unrestricted symbol
Expression formula is stored separately and extracts respectively, is then combined into regular expressions according to the rules for writing of regular expression
Formula, must also add beginning and end delimiter before and after which, it is ensured that being capable of all-character matching.
3. according to a kind of auth method based on regular expression described in claim 1, it is characterised in that:By script
The regular expression for coming is transmitted through to server in client and is analyzed generation random string, the character of each generation need to be ensured
String will carry out duplicate checking.
4. according to a kind of auth method based on regular expression described in claim 1, it is characterised in that:In identity
Authenticated connection is matched by regular expression, needs the character string to matching in the past to carry out duplicate checking and preservation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410275481.7A CN104038344B (en) | 2014-06-19 | 2014-06-19 | Identity authentication method based on regular expression |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410275481.7A CN104038344B (en) | 2014-06-19 | 2014-06-19 | Identity authentication method based on regular expression |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104038344A CN104038344A (en) | 2014-09-10 |
| CN104038344B true CN104038344B (en) | 2017-03-22 |
Family
ID=51468941
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410275481.7A Expired - Fee Related CN104038344B (en) | 2014-06-19 | 2014-06-19 | Identity authentication method based on regular expression |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104038344B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109933973B (en) * | 2019-01-24 | 2024-01-19 | 平安科技(深圳)有限公司 | Password verification method, password verification device, computer equipment and storage medium |
| CN110086827B (en) * | 2019-05-14 | 2021-11-02 | 重庆商勤科技有限公司 | SQL injection verification method, server and system |
| CN111949836A (en) * | 2020-07-31 | 2020-11-17 | 上海中通吉网络技术有限公司 | Regular expression application method and system |
| US11757865B2 (en) * | 2020-10-23 | 2023-09-12 | International Business Machines Corporations | Rule-based filtering for securing password login |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101563883A (en) * | 2006-12-19 | 2009-10-21 | 摩托罗拉公司 | Locking carrier access in a communication network |
| CN101667207A (en) * | 2009-09-18 | 2010-03-10 | 南京联创科技集团股份有限公司 | Method for quickly recognizing and selecting employees' identity based on AJAX in WEB2.0 |
| CN102244660A (en) * | 2011-07-12 | 2011-11-16 | 北京航空航天大学 | Encryption method for realizing support of FGAC (Fine Grained Access Control) |
-
2014
- 2014-06-19 CN CN201410275481.7A patent/CN104038344B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101563883A (en) * | 2006-12-19 | 2009-10-21 | 摩托罗拉公司 | Locking carrier access in a communication network |
| CN101667207A (en) * | 2009-09-18 | 2010-03-10 | 南京联创科技集团股份有限公司 | Method for quickly recognizing and selecting employees' identity based on AJAX in WEB2.0 |
| CN102244660A (en) * | 2011-07-12 | 2011-11-16 | 北京航空航天大学 | Encryption method for realizing support of FGAC (Fine Grained Access Control) |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104038344A (en) | 2014-09-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kemalis et al. | SQL-IDS: a specification-based approach for SQL-injection detection | |
| CN110881044B (en) | Computer firewall dynamic defense security platform | |
| CN105160252B (en) | A kind of detection method and device of SQL injection attacks | |
| Sadeghian et al. | SQL injection is still alive: a study on SQL injection signature evasion techniques | |
| CN105959335B (en) | A kind of attack detection method and relevant apparatus | |
| Tajpour et al. | Web application security by sql injection detectiontools | |
| Sadeghian et al. | A taxonomy of SQL injection attacks | |
| Vlsaggio et al. | Session management vulnerabilities in today's web | |
| Kar et al. | Prevention of SQL Injection attack using query transformation and hashing | |
| CN111221844B (en) | Web server protection method based on mimicry instruction set randomization and database proxy node | |
| Nagpal et al. | A survey on the detection of SQL injection attacks and their countermeasures | |
| CN104038344B (en) | Identity authentication method based on regular expression | |
| Singh et al. | SQL injection: Types, methodology, attack queries and prevention | |
| Wang et al. | Augmented attack tree modeling of SQL injection attacks | |
| CN111881337B (en) | Data acquisition method and system based on Scapy framework and storage medium | |
| CN112131564A (en) | Encrypted data communication method, apparatus, device, and medium | |
| CN106506462A (en) | A kind of web portal security guard method and device based on list scramble | |
| Shachi et al. | A survey on detection and prevention of SQL and NoSQL injection attack on server-side applications | |
| Minhas et al. | Blocking of sql injection attacks by comparing static and dynamic queries | |
| CN110581841A (en) | Back-end anti-crawler method | |
| Shehu et al. | A literature review and comparative analyses on sql injection: vulnerabilities, attacks and their prevention and detection techniques | |
| Jiao et al. | SQLIMW: a new mechanism against SQL-Injection | |
| Chaki et al. | A Survey on SQL Injection Prevention Methods | |
| Singh et al. | Detection and prevention of SQL injection attack using hashing technique | |
| Aliero et al. | Classification of Sql Injection Detection And Prevention Measure |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170322 |