CN106453352A - Single-system multi-platform authentication method - Google Patents

Single-system multi-platform authentication method Download PDF

Info

Publication number
CN106453352A
CN106453352A CN201610933435.0A CN201610933435A CN106453352A CN 106453352 A CN106453352 A CN 106453352A CN 201610933435 A CN201610933435 A CN 201610933435A CN 106453352 A CN106453352 A CN 106453352A
Authority
CN
China
Prior art keywords
client
ciphertext
server
client computer
current
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610933435.0A
Other languages
Chinese (zh)
Other versions
CN106453352B (en
Inventor
余景寰
唐雪飞
李源
李贞昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201610933435.0A priority Critical patent/CN106453352B/en
Publication of CN106453352A publication Critical patent/CN106453352A/en
Application granted granted Critical
Publication of CN106453352B publication Critical patent/CN106453352B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种单系统多平台身份验证方法,包括以下步骤:S1、服务器获取客户机登录时使用的用户名和用户密码;S2、服务器接收客户机发送的访问请求和密文;S3、服务器验证密文,验证成功后进入步骤S4,验证不成功则执行第一调整方案;S4、服务器解析密文,根据各客户机的协议内容决定当前操作是否存在错误,如果没有错误则进入步骤S5,否则执行第二调整方案;S5、服务器返回允许客户机访问限制资源的回执,并重新加密报文。本发明的身份验证方法,不会在服务器上遗留客户信息,采用加密方式循环,修改字符、使用爬虫引擎撞库或者使用过期密文都会产生攻击警告,能有效降低使用缓存的风险和使用session会话引起的会话固定攻击风险。

The invention discloses a single-system multi-platform identity verification method, comprising the following steps: S1, the server obtains the user name and user password used by the client computer to log in; S2, the server receives the access request and ciphertext sent by the client computer; S3, the server Verify the ciphertext, enter step S4 after the verification is successful, and execute the first adjustment plan if the verification is unsuccessful; S4, the server parses the ciphertext, and determines whether there is an error in the current operation according to the protocol content of each client, if there is no error, then enter step S5, Otherwise, execute the second adjustment solution; S5. The server returns a receipt for allowing the client to access the restricted resource, and re-encrypts the message. The identity verification method of the present invention will not leave customer information on the server, adopts the encryption method to circulate, modify the characters, use the crawler engine to hit the database, or use expired ciphertexts will generate attack warnings, which can effectively reduce the risk of using the cache and use the session session The resulting session fixation attack risk.

Description

一种单系统多平台身份验证方法A single-system multi-platform authentication method

技术领域technical field

本发明属于身份验证技术领域,特别涉及一种单系统多平台身份验证方法。The invention belongs to the technical field of identity verification, in particular to a single-system multi-platform identity verification method.

背景技术Background technique

在Web中包括了四种认证方式:Basic,Form,Digest,SSL:There are four authentication methods in the Web: Basic, Form, Digest, SSL:

1、Basic(HTTP 1.0提出)1. Basic (proposed by HTTP 1.0)

客户端请求某个资源后,服务器会发送一个401(未授权)的响应,在响应中带了Realm信息表示使用Basic认证。After the client requests a certain resource, the server will send a 401 (unauthorized) response with Realm information in the response indicating that Basic authentication is used.

浏览器接收到这个响应后会弹出一个框,输入用户名和密码。点取消表示取消认证,点确定会提交用户名、密码到服务器。提交的方式是在HTTP头中加入:After the browser receives this response, a box will pop up to enter the user name and password. Click Cancel to cancel the authentication, and click OK to submit the user name and password to the server. The way to submit is to add in the HTTP header:

WWW-Authorization:Basic XXXXXXXWWW-Authorization: Basic XXXXXXXX

Basic后面是用户名、密码的BASE64编码。在客户端编程中,这段内容的构造为:Basic is followed by the BASE64 encoding of the username and password. In client programming, this content is constructed as:

String cre=userName+":"+passwordString cre=userName+":"+password

Base64encode(cre);Base64encode(cre);

add to request header with"WWW-Authroization"。add to request header with "WWW-Authroization".

2、Form2. Form

Form就是在页面上以Form的形式提交数据,GET或POST.也可以使用AJAX来提交认证信息。Form is to submit data in the form of Form on the page, GET or POST. You can also use AJAX to submit authentication information.

3、Digest(HTTP 1.1最基本)3. Digest (HTTP 1.1 is the most basic)

为了防止重放攻击,采用摘要访问认证。客户发送一个请求后,收到一个401消息,消息中还包括一个唯一的字符串:nonce,每次请求都不一样。如,To prevent replay attacks, digest access authentication is used. After the client sends a request, it receives a 401 message, which also includes a unique string: nonce, which is different for each request. Such as,

HTTP/1.1 401UnauthorizedHTTP/1.1 401 Unauthorized

WWW-Authenticate:DigestWWW-Authenticate:Digest

realm="xxxxxxx",realm="xxxxxxx",

qop="auth,auth-int",qop="auth,auth-int",

nonce="--base code--",nonce="--base code--",

opaque="--base code--"opaque="--base code--"

此时客户端将用户名、密码、nonce、HTTP Method和URI为校验值基础进行散列(默认为MD5)的摘要返回给服务器。响应头必须包括的5个部分:At this time, the client returns the digest of the user name, password, nonce, HTTP Method and URI as the check value based on the hash (MD5 by default) to the server. The 5 parts that the response header must include:

realm:领域,不同领域可能密码不一样realm: realm, different realms may have different passwords

nonce:挑战值nonce: challenge value

username:用户名username: username

digest-uri:请求URIdigest-uri: Request URI

response:摘要部分response: summary section

服务器端则根据收到的信息加上存储的密码算出一个新的摘要与请求中的摘要比较,因为每次nonce都会变,就很难做到重放攻击了。The server side calculates a new digest based on the received information plus the stored password and compares it with the digest in the request, because the nonce will change every time, so it is difficult to achieve replay attacks.

4、SSL4. SSL

SSL协议位于TCP/IP和应用协议之间,基于公钥体制保证数据通讯的安全性。SSL协议可分为两层:SSL记录协议(SSL Record Protocol):它建立在可靠的传输协议(如TCP)之上,为高层协议提供数据封装、压缩、加密等基本功能的支持。SSL握手协议(SSLHandshake Protocol):它建立在SSL记录协议之上,用于在实际的数据传输开始前,通讯双方进行身份认证、协商加密算法、交换加密密钥等。The SSL protocol is located between TCP/IP and application protocols, and ensures the security of data communication based on the public key system. The SSL protocol can be divided into two layers: SSL Record Protocol (SSL Record Protocol): It is built on a reliable transmission protocol (such as TCP) and provides support for basic functions such as data encapsulation, compression, and encryption for high-level protocols. SSL Handshake Protocol (SSLHandshake Protocol): It is built on the SSL record protocol and is used for identity authentication, negotiation of encryption algorithms, and exchange of encryption keys before the actual data transmission begins.

SSL协议提供的服务主要有:The services provided by the SSL protocol mainly include:

1)认证用户和服务器,确保数据发送到正确的客户机和服务器;1) Authenticate users and servers to ensure that data is sent to the correct client and server;

2)加密数据以防止数据中途被窃取;2) Encrypt data to prevent data from being stolen;

3)维护数据的完整性,确保数据在传输过程中不被改变。3) Maintain data integrity and ensure that data is not changed during transmission.

以上4种基础验证方式中最大的问题所在是只能从数据加密的层面和会话中维持身份的认证,但是无法同步各个不同平台间的系统内容。其次,无法识别用户的登录失败行为和会话失败流程究竟是由错误操作还是由攻击引起的。The biggest problem among the above four basic authentication methods is that identity authentication can only be maintained at the level of data encryption and sessions, but cannot synchronize system content between different platforms. Secondly, it is impossible to identify whether the user's login failure behavior and session failure process are caused by wrong operations or attacks.

发明内容Contents of the invention

本发明的目的在于克服现有技术的不足,提供一种不会在服务器上遗留客户信息,采用加密方式循环,修改字符、使用爬虫引擎撞库或者使用过期密文都会产生攻击警告,能有效降低使用缓存的风险和使用session会话引起的会话固定攻击风险,能够提高身份验证的效率和安全性的单系统多平台身份验证方法。The purpose of the present invention is to overcome the deficiencies of the prior art, to provide a method that does not leave customer information on the server, adopts an encryption method to circulate, modify characters, use a crawler engine to hit a library, or use an expired ciphertext to generate an attack warning, which can effectively reduce The risk of using cache and the risk of session fixation attack caused by using session session can improve the efficiency and security of authentication in a single-system multi-platform authentication method.

本发明的目的是通过以下技术方案来实现的:一种单系统多平台身份验证方法,包括以下步骤:The purpose of the present invention is achieved through the following technical solutions: a single-system multi-platform identity verification method, comprising the following steps:

S1、服务器获取客户机登录时使用的用户名和用户密码,然后访问数据库查找该用户是否存在,若存在则为该用户提供密文,否则提示错误并要求客户机重新登录;S1. The server obtains the user name and user password used by the client to log in, and then accesses the database to find out whether the user exists. If it exists, it provides the ciphertext for the user, otherwise it prompts an error and requires the client to log in again;

S2、服务器接收客户机发送的对于限制资源的访问请求,并接收用户提交的密文;S2. The server receives the access request for restricted resources sent by the client, and receives the ciphertext submitted by the user;

S3、服务器验证密文,验证成功后进入步骤S4,验证不成功则执行第一调整方案;S3. The server verifies the ciphertext, and proceeds to step S4 after the verification is successful, and executes the first adjustment scheme if the verification is unsuccessful;

S4、服务器解析密文,根据请求访问的客户机信息查询相关字段内容,根据各客户机的协议内容决定当前操作是否存在错误,如果没有错误则进入步骤S5,否则执行第二调整方案;S4, the server parses the ciphertext, queries the content of the relevant fields according to the information of the client requesting access, and determines whether there is an error in the current operation according to the protocol content of each client, if there is no error, then enter step S5, otherwise execute the second adjustment plan;

S5、服务器返回允许客户机访问限制资源的回执,并重新加密密文,将加密完成的密文重新发送给客户机。S5. The server returns a receipt for allowing the client computer to access the restricted resource, re-encrypts the ciphertext, and resends the encrypted ciphertext to the client computer.

进一步地,所述步骤S1具体包括以下子步骤:Further, the step S1 specifically includes the following sub-steps:

S11、服务器获取客户机登录时使用的用户名和用户密码,访问数据库查找该用户是否存在,若存在则执行步骤S12,否则提示错误并要求客户机重新登录;S11, the server obtains the user name and user password used when the client logs in, accesses the database to find out whether the user exists, if it exists, executes step S12, otherwise prompts an error and requires the client to log in again;

S12、从数据库中提取该客户机对象,提取token字段,若token字段为空则执行步骤S13,否则执行步骤S14;S12, extracting the client object from the database, extracting the token field, if the token field is empty, then execute step S13, otherwise execute step S14;

S13、使用put方法,将当前客户机的标识信息、当前时间戳、当前登录客户机的平台信息加入到一个字符串—字符串图中,将字符串—字符串图加密成密文,置入缓存;S13. Using the put method, add the identification information of the current client, the current time stamp, and the platform information of the currently logged-in client into a string-string graph, encrypt the string-string graph into ciphertext, and insert cache;

S14、解析token字段,将token字段还原为明文,从请求登陆的报文的首部提取agent字段,作为键值访问指定字段,将其修改为指定内容;再修改LastLogin字段为当前时间戳;修改完后加密成密文,置入缓存;S14, parse the token field, restore the token field to plaintext, extract the agent field from the header of the message requesting login, access the specified field as a key value, and modify it to the specified content; then modify the LastLogin field to the current timestamp; after modification Then encrypt it into ciphertext and put it in the cache;

S15、返回登录成功信息,将密文加入到返回报文的首部作为客户机请求访问闲置资源的密文凭证。S15. Return the login success information, and add the ciphertext to the header of the returned message as the ciphertext credential for the client to request to access the idle resource.

进一步地,所述步骤S13加密过程包括以下子步骤:Further, the encryption process of step S13 includes the following sub-steps:

S131、获取客户机的设备类型,可以使用DeviceFamily命名空间中的内容获取,使用put方法加入字符串—字符串图SecretMap中,键值为:device;S131. To obtain the device type of the client, you can use the content in the DeviceFamily namespace to obtain it, and use the put method to add a string—in the string map SecretMap, the key value is: device;

S132、获取当前程序包被安装的时间,可以使用Package命名空间中的内容获取,使用put方法加入字符串—字符串图SecretMap中,键值为:install;S132, obtain the time when the current program package is installed, you can use the content in the Package namespace to obtain, use the put method to add a string—in the string map SecretMap, the key value is: install;

S133、获取系统时间,使用put方法加入字符串—字符串图SecretMap中,键值为:send;S133. Obtain the system time, and use the put method to add a character string into the SecretMap of the character string map, and the key value is: send;

S134、以JSON格式将字符串—字符串图SecretMap加密,使用的密语由程序开发时定义,由客户机和服务器硬编码保存。S134. Encrypt the string-string map SecretMap in JSON format, the secret words used are defined during program development, and are hard-coded and stored by the client and server.

进一步地,所述步骤S3中验证密文包括以下子步骤:Further, verifying the ciphertext in the step S3 includes the following sub-steps:

S31、服务器解析HTTP请求报文的头部信息,提取其中的验证协议约定字段,提取成功执行S32,否则执行S36;S31. The server parses the header information of the HTTP request message, extracts the verification protocol agreement field therein, and executes S32 if the extraction is successful, otherwise executes S36;

S32、将提取到的验证协议约定字段进行解密,得到字符串-字符串图的结构,称其为StatusMap,提取HTTP请求报文中的客户机代理字段,依次获取客户机所处的平台;S32. Decrypt the extracted verification protocol agreement field to obtain the structure of the string-string map, which is called StatusMap, extract the client agent field in the HTTP request message, and obtain the platform where the client is located in sequence;

S33、判断客户机使用的平台,若为web平台则执行步骤S331,若为非web平台则执行步骤S333;S33. Determine the platform used by the client, if it is a web platform, execute step S331, if it is a non-web platform, execute step S333;

S331、从StatusMap中提取web字段作为验证内容,分析是否出现协议内容错误,若协议内容无误则进行步骤S332;若协议内容有误则进行报错,并报告一次协议内容错误记录,然后执行步骤S34;S331, extract the web field from the StatusMap as the verification content, analyze whether there is an error in the agreement content, if the agreement content is correct, then proceed to step S332; if the agreement content is wrong, then report an error, and report a protocol content error record, and then perform step S34;

S332、判断协议内容与当前时间戳相比是否超时,如果出现超时则进行报错,并报告一次过时错误记录,然后执行步骤S34;若未超时则更新定时器,然后执行步骤S35;S332, judging whether the protocol content is overtime compared with the current timestamp, if overtime occurs, an error is reported, and an outdated error record is reported, and then step S34 is performed; if not overtime, the timer is updated, and then step S35 is performed;

S333、提取响应字段作为验证内容,按照各自协议内容维护持久登录信息,判断登陆信息是否验证成功,若验证成功则执行步骤S35;否则进行报错,并报告一次登陆错误记录,然后执行步骤S34;S333. Extract the response field as the verification content, maintain the persistent login information according to the content of the respective agreements, and judge whether the login information is successfully verified, and if the verification is successful, execute step S35; otherwise, report an error, and report a login error record, and then execute step S34;

S34、提示客户机错误信息,并要求重新登录;S34, prompting the client computer for error information, and requesting to log in again;

S35、重新生成报文,并根据服务器与客户机的协议内容对报文进行加密,将新的报文加入服务器响应报文中的pretoken字段;S35. Regenerate the message, and encrypt the message according to the protocol content between the server and the client, and add the new message to the pretoken field in the server response message;

S36、无法提取验证协议约定字段或验证协议约定字段验证失败,意味着使用了过期协议报文,表示受到了会话固定的攻击方式,服务器产生攻击警告,并置入服务器日志;S36. Failure to extract the verification protocol agreement field or verification failure of the verification agreement agreement field means that an expired protocol message is used, indicating that the attack method of session fixation is received, and the server generates an attack warning and puts it into the server log;

S37、提取StatusMap中客户机身份信息内容,并将其作为业务逻辑中的令牌。S37. Extract the content of the client identity information in the StatusMap, and use it as a token in the business logic.

进一步地,所述步骤S3中的第一调整方案具体为:分析验证结果,查看是否存在密文语法错误,若存在则产生攻击警告,将当前的agent信息和IP地址信息置入危险客户源并输出到日志中,并提示错误信息,要求客户机重新提供密文;Further, the first adjustment solution in step S3 is specifically: analyze the verification result, check whether there is a syntax error in the ciphertext, and if so, generate an attack warning, put the current agent information and IP address information into the dangerous client source and Output to the log, and prompt an error message, requiring the client to re-provide the ciphertext;

若不存在密文语法错误则检查HTTP报文段中的请求信息,分析报文中agent和IP地址是否源自危险客户源,如果是则产生攻击警告,并将信息输出到日志中,然后要求客户重新提供密文;否则提示错误信息,要求客户端重新提供密文。If there is no ciphertext syntax error, check the request information in the HTTP message segment, analyze whether the agent and IP address in the message come from a dangerous client source, if so, generate an attack warning, and output the information to the log, and then request The client provides the ciphertext again; otherwise, an error message is displayed and the client is required to provide the ciphertext again.

进一步地,所述步骤S4中解析密文包括以下子步骤:Further, parsing the ciphertext in the step S4 includes the following sub-steps:

S41、接收客户机发送的访问请求报文和密文,获取报文和密文接收到的时间戳,记为current;S41. Receive the access request message and ciphertext sent by the client, and obtain the received time stamp of the message and ciphertext, which is recorded as current;

S42、根据约定密语解析密文获取SecretMap,若解析成功执行步骤S43,否则产生攻击警告,将当前访问请求报文中的agent信息和IP地址信息置入危险客户源并输出到日志中,向客户机提示错误;S42. Analyze the ciphertext according to the agreed password to obtain the SecretMap. If the analysis is successful, step S43 is executed; otherwise, an attack warning is generated, and the agent information and IP address information in the current access request message are put into the dangerous client source and output to the log, and sent to the client. The machine prompts an error;

S43、解析SecretMap中的send字段,并与current比较,如果出现current早于send或者current与send的差超过2倍平均网络时延,则认为受到撞库攻击,产生攻击警告,将当前的agent信息和IP地址信息置入危险客源并输出到日志中,提示错误;否则执行步骤S44;S43. Analyze the send field in the SecretMap and compare it with the current. If the current is earlier than the send or the difference between the current and the send exceeds 2 times the average network delay, it is considered to be under a credential stuffing attack, an attack warning is generated, and the current agent information is updated. and IP address information are put into the dangerous customer source and output to the log, prompting an error; otherwise, step S44 is performed;

S44、解析SecretMap中的device段和install字段,通过device段和install字段向服务器查询该客户机是否为可信客户机,如果是则该密文通过验证,否则执行步骤S45;S44, parsing the device section and the install field in the SecretMap, querying the server whether the client computer is a trusted client computer through the device section and the install field, if so, the ciphertext is verified, otherwise step S45 is performed;

S45、检查发送访问请求报文的客户机的操作:如果是登录请求则向客户机进行提示警告,要求客户机提供可信登录操作证明进行验证,验证通过后,将当前信息加入到服务器中进行存储,并将该客户机标识为可信客户机,该密文通过验证,若验证未通过,则向当前在线的客户机发送不可信操作警告,同时产生攻击警告,将当前的agent信息和IP地址信息置入危险客户源并输出到日志中,提示错误;如果客户机正在进行除登陆请求之外的其他操作,向当前在线的客户机发送不可信操作警告,同时产生攻击警告,将当前的agent信息和IP地址信息置入危险客户源并输出到日志中,提示错误。S45. Check the operation of the client computer that sends the access request message: if it is a login request, the client computer is prompted and warned, and the client computer is required to provide a credible login operation certificate for verification. After the verification is passed, the current information is added to the server for verification. store, and identify the client as a trusted client, the ciphertext has passed the verification, if the verification fails, an untrusted operation warning will be sent to the currently online client, and an attack warning will be generated at the same time, and the current agent information and IP The address information is put into the dangerous client source and output to the log, prompting an error; if the client computer is performing other operations except the login request, an untrustworthy operation warning will be sent to the currently online client computer, and an attack warning will be generated at the same time, and the current Agent information and IP address information are placed in the source of dangerous customers and output to the log, prompting an error.

进一步地,所述步骤S4中的第二调整方案具体为:判断当前错误类型,如果为超时类错误则提示错误,要求客户机重新登录,跳转登录页面;如果为密文错误则产生攻击警告,将当前的agent信息和IP地址信息置入危险客户源并输出到日志中,提示错误。Further, the second adjustment scheme in step S4 is specifically: judge the current error type, if it is a timeout error, then prompt an error, require the client to log in again, and jump to the login page; if it is a ciphertext error, generate an attack warning , put the current agent information and IP address information into the dangerous client source and output it to the log, prompting an error.

本发明的有益效果是:本发明针对传统记住用户登录状态需要在服务器留下相关信息的安全问题和单系统多平台容易出现多平台状态相互拥挤的情况进行了专门的优化,采用本发明的身份验证方法,不会在服务器上遗留客户信息,采用加密方式循环,修改字符、使用爬虫引擎撞库或者使用过期密文都会产生攻击警告,能有效降低使用缓存的风险和使用session会话引起的会话固定攻击风险,不会受到CSRF攻击,能够提高身份验证的效率和安全性。The beneficial effects of the present invention are: the present invention is specially optimized for the traditional security problem of remembering the user login status and leaving relevant information on the server and the situation that the multi-platform states of a single system and multiple platforms are likely to be crowded with each other. The identity verification method will not leave customer information on the server, and the encryption method will be used to circulate. Modifying characters, using a crawler engine to hit the library, or using expired ciphertext will generate attack warnings, which can effectively reduce the risk of using the cache and the session caused by the use of the session. Fixed attack risk, will not be attacked by CSRF, can improve the efficiency and security of authentication.

附图说明Description of drawings

图1为本发明的单系统多平台身份验证方法流程图;Fig. 1 is the single-system multi-platform authentication method flow chart of the present invention;

图2为本发明的客户机登录流程图;Fig. 2 is the flow chart of client machine login of the present invention;

图3为本发明的加密流程图;Fig. 3 is the encryption flowchart of the present invention;

图4为本发明的验证密文流程图;Fig. 4 is the verification ciphertext flowchart of the present invention;

图5为本发明的解析密文流程图。Fig. 5 is a flow chart of analyzing ciphertext in the present invention.

具体实施方式detailed description

下面结合附图进一步说明本发明的技术方案。The technical solution of the present invention will be further described below in conjunction with the accompanying drawings.

如图1所示,一种单系统多平台身份验证方法,包括以下步骤:As shown in Figure 1, a single-system multi-platform authentication method includes the following steps:

S1、服务器获取客户机登录时使用的用户名和用户密码,然后访问数据库查找该用户是否存在,若存在则为该用户提供密文,否则提示错误并要求客户机重新登录;如图2所示,具体包括以下子步骤:S1. The server obtains the user name and user password used when the client logs in, and then accesses the database to find out whether the user exists. If it exists, the user is provided with a ciphertext, otherwise an error is prompted and the client is required to log in again; as shown in Figure 2, Specifically include the following sub-steps:

S11、服务器获取客户机登录时使用的用户名和用户密码,访问数据库查找该用户是否存在,若存在则执行步骤S12,否则提示错误并要求客户机重新登录;S11, the server obtains the user name and user password used when the client logs in, accesses the database to find out whether the user exists, if it exists, executes step S12, otherwise prompts an error and requires the client to log in again;

S12、从数据库中提取该客户机对象,提取token字段,若token字段为空则执行步骤S13,否则执行步骤S14;S12, extracting the client object from the database, extracting the token field, if the token field is empty, then execute step S13, otherwise execute step S14;

S13、使用put方法,将当前客户机的标识信息、当前时间戳、当前登录客户机的平台信息加入到一个字符串—字符串图中,将字符串—字符串图加密成密文,置入缓存;S13. Using the put method, add the identification information of the current client, the current time stamp, and the platform information of the currently logged-in client into a string-string graph, encrypt the string-string graph into ciphertext, and insert cache;

.net框架下开发的客户端的agent字段统一置为UWP,安卓系统下开发的客户端agent字段统一置为ADW,IOS系统下开发的客户端agent字段统一置为IOS,下面具体命名空间(或称包)举例以UWP为参考。如图3所示,所述加密过程包括以下子步骤:The agent field of the client developed under the .net framework is uniformly set to UWP, the client agent field developed under the Android system is uniformly set to ADW, and the client agent field developed under the IOS system is uniformly set to IOS. The specific namespace (or called package) for example with UWP as a reference. As shown in Figure 3, the encryption process includes the following sub-steps:

S131、获取客户机的设备类型,可以使用DeviceFamily命名空间中的内容获取,使用put方法加入字符串—字符串图SecretMap中,键值为:device;S131. To obtain the device type of the client, you can use the content in the DeviceFamily namespace to obtain it, and use the put method to add a string—in the string map SecretMap, the key value is: device;

S132、获取当前程序包被安装的时间,可以使用Package命名空间中的内容获取,使用put方法加入字符串—字符串图SecretMap中,键值为:install;S132, obtain the time when the current program package is installed, you can use the content in the Package namespace to obtain, use the put method to add a string—in the string map SecretMap, the key value is: install;

S133、获取系统时间,使用put方法加入字符串—字符串图SecretMap中,键值为:send;S133. Obtain the system time, and use the put method to add a character string into the SecretMap of the character string map, and the key value is: send;

S134、以JSON格式将字符串—字符串图SecretMap加密,使用的密语由程序开发时定义,由客户机和服务器硬编码保存。S134. Encrypt the string-string map SecretMap in JSON format, the secret words used are defined during program development, and are hard-coded and stored by the client and server.

S14、解析token字段,将token字段还原为明文,从请求登陆的报文的首部提取agent字段,作为键值访问指定字段,将其修改为指定内容;再修改LastLogin字段为当前时间戳;修改完后加密成密文,置入缓存;S14, parse the token field, restore the token field to plaintext, extract the agent field from the header of the message requesting login, access the specified field as a key value, and modify it to the specified content; then modify the LastLogin field to the current timestamp; after modification Then encrypt it into ciphertext and put it in the cache;

S15、返回登录成功信息,将密文加入到返回报文的首部作为客户机请求访问闲置资源的密文凭证。S15. Return the login success information, and add the ciphertext to the header of the returned message as the ciphertext credential for the client to request to access the idle resource.

S2、服务器接收客户机发送的对于限制资源的访问请求,并接收用户提交的密文;S2. The server receives the access request for restricted resources sent by the client, and receives the ciphertext submitted by the user;

S3、服务器验证密文,验证成功后进入步骤S4,验证不成功则执行第一调整方案;S3. The server verifies the ciphertext, and proceeds to step S4 after the verification is successful, and executes the first adjustment scheme if the verification is unsuccessful;

如图4所示,所述验证密文包括以下子步骤:As shown in Figure 4, the verification ciphertext includes the following sub-steps:

S31、服务器解析HTTP请求报文的头部信息,提取其中的验证协议约定字段,提取成功执行S32,否则执行S36;S31. The server parses the header information of the HTTP request message, extracts the verification protocol agreement field therein, and executes S32 if the extraction is successful, otherwise executes S36;

S32、将提取到的验证协议约定字段进行解密,得到字符串-字符串图的结构,称其为StatusMap,提取HTTP请求报文中的客户机代理字段,依次获取客户机所处的平台;S32. Decrypt the extracted verification protocol agreement field to obtain the structure of the string-string map, which is called StatusMap, extract the client agent field in the HTTP request message, and obtain the platform where the client is located in sequence;

S33、判断客户机使用的平台,若为web平台则执行步骤S331,若为非web平台则执行步骤S333;S33. Determine the platform used by the client, if it is a web platform, execute step S331, if it is a non-web platform, execute step S333;

S331、从StatusMap中提取web字段作为验证内容,分析是否出现协议内容错误,若协议内容无误则进行步骤S332;若协议内容有误则进行报错,并报告一次协议内容错误记录,然后执行步骤S34;S331, extract the web field from the StatusMap as the verification content, analyze whether there is an error in the agreement content, if the agreement content is correct, then proceed to step S332; if the agreement content is wrong, then report an error, and report a protocol content error record, and then perform step S34;

S332、判断协议内容与当前时间戳相比是否超时,如果出现超时则进行报错,并报告一次过时错误记录,然后执行步骤S34;若未超时则更新定时器,然后执行步骤S35;S332, judging whether the protocol content is overtime compared with the current timestamp, if overtime occurs, an error is reported, and an outdated error record is reported, and then step S34 is performed; if not overtime, the timer is updated, and then step S35 is performed;

S333、提取响应字段作为验证内容,按照各自协议内容维护持久登录信息,判断登陆信息是否验证成功,若验证成功则执行步骤S35;否则进行报错,并报告一次登陆错误记录,然后执行步骤S34;S333. Extract the response field as the verification content, maintain the persistent login information according to the content of the respective agreements, and judge whether the login information is successfully verified, and if the verification is successful, execute step S35; otherwise, report an error, and report a login error record, and then execute step S34;

S34、提示客户机错误信息,并要求重新登录;S34, prompting the client computer for an error message, and requesting to log in again;

S35、重新生成报文,并根据服务器与客户机的协议内容对报文进行加密,将新的报文加入服务器响应报文中的pretoken字段;S35. Regenerate the message, and encrypt the message according to the protocol content between the server and the client, and add the new message to the pretoken field in the server response message;

S36、无法提取验证协议约定字段或验证协议约定字段验证失败,意味着使用了过期协议报文,表示受到了会话固定的攻击方式,服务器产生攻击警告,并置入服务器日志;S36. Failure to extract the verification protocol agreement field or verification failure of the verification agreement agreement field means that an expired protocol message is used, indicating that the attack method of session fixation is received, and the server generates an attack warning and puts it into the server log;

S37、提取StatusMap中客户机身份信息内容,并将其作为业务逻辑中的令牌。S37. Extract the content of the client identity information in the StatusMap, and use it as a token in the business logic.

所述第一调整方案具体为:分析验证结果,查看是否存在密文语法错误(SyntaxException),若存在则产生攻击警告,将当前的agent信息和IP地址信息置入危险客户源并输出到日志中,并提示错误信息,要求客户机重新提供密文;The first adjustment scheme is specifically: analyze the verification result, check whether there is a ciphertext syntax error (SyntaxException), if there is an attack warning, put the current agent information and IP address information into the dangerous client source and output it in the log , and prompts an error message, requiring the client to provide the ciphertext again;

若不存在密文语法错误则检查HTTP报文段中的请求信息,分析报文中agent和IP地址是否源自危险客户源,如果是则产生攻击警告,并将信息输出到日志中,然后要求客户重新提供密文;否则提示错误信息,要求客户端重新提供密文。If there is no ciphertext syntax error, check the request information in the HTTP message segment, analyze whether the agent and IP address in the message come from a dangerous client source, if so, generate an attack warning, and output the information to the log, and then request The client provides the ciphertext again; otherwise, an error message is displayed and the client is required to provide the ciphertext again.

S4、服务器解析密文,根据请求访问的客户机信息查询相关字段内容,根据各客户机的协议内容决定当前操作是否存在错误,如果没有错误则进入步骤S5,否则执行第二调整方案;S4, the server parses the ciphertext, queries the content of the relevant fields according to the information of the client requesting access, and determines whether there is an error in the current operation according to the protocol content of each client, if there is no error, then enter step S5, otherwise execute the second adjustment plan;

如图5所示,解析密文包括以下子步骤:As shown in Figure 5, parsing the ciphertext includes the following sub-steps:

S41、接收客户机发送的访问请求报文和密文,获取报文和密文接收到的时间戳,记为current;S41. Receive the access request message and ciphertext sent by the client, and obtain the received time stamp of the message and ciphertext, which is recorded as current;

S42、根据约定密语解析密文获取SecretMap,若解析成功执行步骤S43,否则产生攻击警告,将当前访问请求报文中的agent信息和IP地址信息置入危险客户源并输出到日志中,向客户机提示错误;S42. Analyze the ciphertext according to the agreed password to obtain the SecretMap. If the analysis is successful, step S43 is executed; otherwise, an attack warning is generated, and the agent information and IP address information in the current access request message are put into the dangerous client source and output to the log, and sent to the client. The machine prompts an error;

S43、解析SecretMap中的send字段,并与current比较,如果出现current早于send或者current与send的差超过2倍平均网络时延,则认为受到撞库攻击,产生攻击警告,将当前的agent信息和IP地址信息置入危险客源并输出到日志中,提示错误;否则执行步骤S44;S43. Analyze the send field in the SecretMap and compare it with the current. If the current is earlier than the send or the difference between the current and the send exceeds 2 times the average network delay, it is considered to be under a credential stuffing attack, an attack warning is generated, and the current agent information is updated. and IP address information are put into dangerous customer sources and output to the log, prompting an error; otherwise, step S44 is performed;

S44、解析SecretMap中的device段和install字段,通过device段和install字段向服务器查询该客户机是否为可信客户机,如果是则该密文通过验证,否则执行步骤S45;S44, parsing the device section and the install field in the SecretMap, querying the server whether the client computer is a trusted client computer through the device section and the install field, if so, the ciphertext is verified, otherwise step S45 is performed;

S45、检查发送访问请求报文的客户机的操作:如果是登录请求则向客户机进行提示警告,要求客户机提供可信登录操作证明进行验证,验证通过后,将当前信息加入到服务器中进行存储,并将该客户机标识为可信客户机,该密文通过验证,若验证未通过,则向当前在线的客户机发送不可信操作警告,同时产生攻击警告,将当前的agent信息和IP地址信息置入危险客户源并输出到日志中,提示错误;如果客户机正在进行除登陆请求之外的其他操作,向当前在线的客户机发送不可信操作警告,同时产生攻击警告,将当前的agent信息和IP地址信息置入危险客户源并输出到日志中,提示错误。S45. Check the operation of the client computer that sends the access request message: if it is a login request, the client computer is prompted and warned, and the client computer is required to provide a credible login operation certificate for verification. After the verification is passed, the current information is added to the server for verification. store, and identify the client as a trusted client, the ciphertext has passed the verification, if the verification fails, an untrusted operation warning will be sent to the currently online client, and an attack warning will be generated at the same time, and the current agent information and IP The address information is put into the dangerous client source and output to the log, prompting an error; if the client computer is performing other operations except the login request, an untrustworthy operation warning will be sent to the currently online client computer, and an attack warning will be generated at the same time, and the current Agent information and IP address information are placed in the source of dangerous customers and output to the log, prompting an error.

所述第二调整方案具体为:判断当前错误类型,如果为超时类错误(OvertimeException)则提示错误,要求客户机重新登录,跳转登录页面;如果为密文错误(ProtocolException)则产生攻击警告,将当前的agent信息和IP地址信息置入危险客户源并输出到日志中,提示错误。The second adjustment scheme is specifically: judge the current error type, if it is an overtime error (OvertimeException), it will prompt an error, require the client to log in again, and jump to the login page; if it is a ciphertext error (ProtocolException), an attack warning will be generated, Put the current agent information and IP address information into the dangerous client source and output it to the log, prompting an error.

S5、服务器返回允许客户机访问限制资源的回执,并重新加密密文,将加密完成的密文重新发送给客户机。S5. The server returns a receipt for allowing the client computer to access the restricted resource, re-encrypts the ciphertext, and resends the encrypted ciphertext to the client computer.

本领域的普通技术人员将会意识到,这里所述的实施例是为了帮助读者理解本发明的原理,应被理解为本发明的保护范围并不局限于这样的特别陈述和实施例。本领域的普通技术人员可以根据本发明公开的这些技术启示做出各种不脱离本发明实质的其它各种具体变形和组合,这些变形和组合仍然在本发明的保护范围内。Those skilled in the art will appreciate that the embodiments described here are to help readers understand the principles of the present invention, and it should be understood that the protection scope of the present invention is not limited to such specific statements and embodiments. Those skilled in the art can make various other specific modifications and combinations based on the technical revelations disclosed in the present invention without departing from the essence of the present invention, and these modifications and combinations are still within the protection scope of the present invention.

Claims (7)

1. a kind of multi-platform auth method of single system is it is characterised in that comprise the following steps:
S1, server obtain the user name using during client logon and user cipher, then access this user of database lookup Whether there is, if existing, providing ciphertext for this user, otherwise point out mistake and require client computer again to log in;
The access request for restriction resource that S2, server subscribing client send, and the ciphertext that receive user is submitted to;
S3, server authentication ciphertext, enter step S4 after being proved to be successful, checking is unsuccessful, executes the first Adjusted Option;
S4, server parsing ciphertext, the client information inquiry relevant field content being accessed according to request, according to each client computer Protocol contents determine that current operation whether there is mistake, then enter step S5 without mistake, otherwise execute the second adjustment side Case;
S5, server return and allow client computer to access the receipt limiting resource, and encrypted cipher text again, the ciphertext that encryption is completed Resend to client computer.
2. the multi-platform auth method of single system according to claim 1 is it is characterised in that described step S1 is specifically wrapped Include following sub-step:
S11, server obtain the user name using during client logon and user cipher, whether access this user of database lookup Exist, if existing, execution step S12, otherwise pointing out mistake and requiring client computer again to log in;
S12, extract this client objects from data base, extract token field, if token field is sky, execution step S13, otherwise execution step S14;
S13, use put method, by the identification information of current client, current time stamp, the current platform letter logging in client computer Breath is added to a string characters string in figure, string characters string figure is encrypted to ciphertext, inserts caching;
S14, parsing token field, token field is reduced in plain text, extract agent word from the stem asking the message logging in Section, accesses specific field as key assignments, is revised as given content;Changing LastLogin field again is current time stamp;Repair It is encrypted to ciphertext after having changed, insert caching;
S15, return login successfully information, and stem ciphertext being added to returned packet accesses slack resources as client requests Ciphertext voucher.
3. the multi-platform auth method of single system according to claim 2 is it is characterised in that described step S13 is encrypted Process includes following sub-step:
S131, the device type of acquisition client computer, are added in string characters string figure SecretMap using put method;
S132, acquisition present procedure are coated the time of installation, add string characters string figure SecretMap using put method In;
S133, acquisition system time, are added in string characters string figure SecretMap using put method;
S134, with JSON form, string characters string figure SecretMap is encrypted, the cipher of use determined by during program development Justice, is preserved by client-server hard coded.
4. the multi-platform auth method of single system according to claim 3 is it is characterised in that verify in described step S3 Ciphertext includes following sub-step:
S31, server parse the header information of HTTP request message, extract indentification protocol agreement field therein, extract successfully Execution S32, otherwise executes S36;
S32, the indentification protocol extracted agreement field is decrypted, obtains the structure of character string-character string figure, be called StatusMap, extracts the client proxy field in HTTP request message, obtains the platform residing for client computer successively;
S33, judge client computer use platform, if web platform then execution step S331, if non-web platform then executes step Rapid S333;
S331, from StatusMap extract web field as checking content, analyse whether that protocol contents mistake occurs, if agreement Content is errorless, carries out step S332;If protocol contents are wrong, reported an error, and reported a protocol contents error logging, so Execution step S34 afterwards;
S332, judge protocol contents whether time-out compared with current time stamp, then reported an error if there is time-out, and report one Secondary time-out error record, then execution step S34;If having not timed out, update intervalometer, then execution step S35;
S333, extraction response field, as checking content, safeguard lasting log-on message according to respective protocol contents, judge to log in letter Whether breath is proved to be successful, if being proved to be successful, execution step S35;Otherwise reported an error, and report and once log in error logging, so Execution step S34 afterwards;
S34, prompting Client Error information, and require again to log in;
S35, regenerate message, and according to the protocol contents of server and client computer, message is encrypted, by new message Add the pretoken field in server response message;
S36, indentification protocol agreement field or indentification protocol agreement field authentication failed cannot be extracted it is meant that employing expired association View message, represents and receives the fixing attack pattern of session, and server produces attacks warning, is placed into server log;
Client identity information content in S37, extraction StatusMap, and as the token in service logic.
5. the multi-platform auth method of single system according to claim 4 it is characterised in that in described step S3 One Adjusted Option is specially:Analysis verification result, checks whether there is ciphertext syntax error, if existing, producing and attacking warning, Current agent information and IP address information are inserted dangerous client source and export in daily record, and point out error message it is desirable to Client computer provides ciphertext again;
If there is not ciphertext syntax error, check the solicited message in HTTP message section, agent and IP address in analysis message Whether from dangerous client source, if it is produce and attack warning, and by information output in daily record, then require client again Ciphertext is provided;Otherwise prompting error message is it is desirable to client provides ciphertext again.
6. the multi-platform auth method of single system according to claim 5 is it is characterised in that parse in described step S4 Ciphertext includes following sub-step:
Access request message and ciphertext that S41, subscribing client send, obtain the timestamp that message and ciphertext receive, are designated as current;
S42, parsing ciphertext of being talked secretly according to agreement obtain SecretMap, if successfully resolved execution step S43, otherwise produce and attack Warning, the agent information in current access request message and IP address information is inserted dangerous client source and exports in daily record, Point out mistake to client computer;
Send field in S43, parsing SecretMap, and is compared with current, if there is current early than send or The difference of current and send is attacked then it is assumed that being hit storehouse more than 2 times of averaging network time delays, produces and attacks warning, will be current Agent information and IP address information are inserted dangerous traveller and are exported in daily record, point out mistake;Otherwise execution step S44;
Device section in S44, parsing SecretMap and install field, by device section and install field to clothes Business device inquires about whether this client computer is trusted client, and if it is this ciphertext passes through checking, otherwise execution step S45;
S45, inspection send the operation of the client computer of access request message:If logging request then carries out prompting police to client computer Accuse it is desirable to client computer provides credible register to prove to be verified, after being verified, current information is added in server Stored, and this client identifying is trusted client, this ciphertext is passed through checking, does not pass through if verifying, exists to current The client computer of line sends insincere operation warning, produces simultaneously and attacks warning, current agent information and IP address information are put Enter dangerous client source and export in daily record, point out mistake;If client computer is carrying out other behaviour in addition to log on request Make, send insincere operation warning to currently online client computer, produce simultaneously and attack warning, by current agent information and IP address information is inserted dangerous client source and is exported in daily record, points out mistake.
7. the multi-platform auth method of single system according to claim 6 it is characterised in that in described step S4 Two Adjusted Option are specially:Judge current erroneous type, then point out mistake it is desirable to client computer is stepped on again if overtime class mistake Record, redirects login page;Then produce attack warning if ciphertext mistake, current agent information and IP address information are put Enter dangerous client source and export in daily record, point out mistake.
CN201610933435.0A 2016-10-25 2016-10-25 Single-system multi-platform identity authentication method Active CN106453352B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610933435.0A CN106453352B (en) 2016-10-25 2016-10-25 Single-system multi-platform identity authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610933435.0A CN106453352B (en) 2016-10-25 2016-10-25 Single-system multi-platform identity authentication method

Publications (2)

Publication Number Publication Date
CN106453352A true CN106453352A (en) 2017-02-22
CN106453352B CN106453352B (en) 2020-04-17

Family

ID=58177938

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610933435.0A Active CN106453352B (en) 2016-10-25 2016-10-25 Single-system multi-platform identity authentication method

Country Status (1)

Country Link
CN (1) CN106453352B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018157667A1 (en) * 2017-02-28 2018-09-07 中兴通讯股份有限公司 Method and device for generating password
CN108600209A (en) * 2018-04-16 2018-09-28 新华三信息安全技术有限公司 A kind of information processing method and device
CN111212033A (en) * 2019-12-16 2020-05-29 北京淇瑀信息科技有限公司 Page display method and device based on combined web crawler defense technology and electronic equipment
CN111222121A (en) * 2019-12-27 2020-06-02 广州芯德通信科技股份有限公司 Authorization management method for embedded equipment
CN111343191A (en) * 2020-03-03 2020-06-26 浙江大华技术股份有限公司 Session checking method and device, storage medium and electronic device
CN111626719A (en) * 2019-02-28 2020-09-04 北京沃东天骏信息技术有限公司 Click event processing method and device, storage medium and electronic equipment
CN112383535A (en) * 2020-11-10 2021-02-19 平安普惠企业管理有限公司 Method and device for detecting Hash transfer attack behavior and computer equipment
CN112667730A (en) * 2021-01-13 2021-04-16 永辉云金科技有限公司 External data verification method, system, equipment and storage medium
CN114579517A (en) * 2022-02-28 2022-06-03 浪潮云信息技术股份公司 A system for CDN node file pre-storage based on collaborative filtering algorithm

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060520A (en) * 2006-04-21 2007-10-24 盛趣信息技术(上海)有限公司 Token-based SSO authentication system
CN101174953A (en) * 2007-03-27 2008-05-07 兰州大学 A Method of Identity Authentication Based on S/Key System
CN101465735A (en) * 2008-12-19 2009-06-24 北京大学 Network user identification verification method, server and client terminal
CN101668013A (en) * 2009-03-30 2010-03-10 刘文祥 Network connection technology and system thereof
US20110265149A1 (en) * 2010-04-26 2011-10-27 Hawk And Seal, Inc. Secure and efficient login and transaction authentication using iphonestm and other smart mobile communication devices
CN102780674A (en) * 2011-05-09 2012-11-14 同方股份有限公司 Method and system for processing network service by utilizing multifactor authentication method
CN103929435A (en) * 2014-05-05 2014-07-16 中国科学院计算机网络信息中心 A trusted verification method based on DNSSEC and DANE protocol
CN103944900A (en) * 2014-04-18 2014-07-23 中国科学院计算技术研究所 Cross-station request attack defense method and device based on encryption
CN105187382A (en) * 2015-08-05 2015-12-23 西安电子科技大学 Multi-factor identity authentication method for preventing library collision attacks

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060520A (en) * 2006-04-21 2007-10-24 盛趣信息技术(上海)有限公司 Token-based SSO authentication system
CN101174953A (en) * 2007-03-27 2008-05-07 兰州大学 A Method of Identity Authentication Based on S/Key System
CN101465735A (en) * 2008-12-19 2009-06-24 北京大学 Network user identification verification method, server and client terminal
CN101668013A (en) * 2009-03-30 2010-03-10 刘文祥 Network connection technology and system thereof
US20110265149A1 (en) * 2010-04-26 2011-10-27 Hawk And Seal, Inc. Secure and efficient login and transaction authentication using iphonestm and other smart mobile communication devices
CN102780674A (en) * 2011-05-09 2012-11-14 同方股份有限公司 Method and system for processing network service by utilizing multifactor authentication method
CN103944900A (en) * 2014-04-18 2014-07-23 中国科学院计算技术研究所 Cross-station request attack defense method and device based on encryption
CN103929435A (en) * 2014-05-05 2014-07-16 中国科学院计算机网络信息中心 A trusted verification method based on DNSSEC and DANE protocol
CN105187382A (en) * 2015-08-05 2015-12-23 西安电子科技大学 Multi-factor identity authentication method for preventing library collision attacks

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018157667A1 (en) * 2017-02-28 2018-09-07 中兴通讯股份有限公司 Method and device for generating password
CN108600209A (en) * 2018-04-16 2018-09-28 新华三信息安全技术有限公司 A kind of information processing method and device
CN111626719A (en) * 2019-02-28 2020-09-04 北京沃东天骏信息技术有限公司 Click event processing method and device, storage medium and electronic equipment
CN111212033A (en) * 2019-12-16 2020-05-29 北京淇瑀信息科技有限公司 Page display method and device based on combined web crawler defense technology and electronic equipment
CN111222121B (en) * 2019-12-27 2022-03-11 广州芯德通信科技股份有限公司 Authorization management method for embedded equipment
CN111222121A (en) * 2019-12-27 2020-06-02 广州芯德通信科技股份有限公司 Authorization management method for embedded equipment
CN111343191A (en) * 2020-03-03 2020-06-26 浙江大华技术股份有限公司 Session checking method and device, storage medium and electronic device
CN111343191B (en) * 2020-03-03 2022-08-16 浙江大华技术股份有限公司 Session checking method and device, storage medium and electronic device
CN112383535A (en) * 2020-11-10 2021-02-19 平安普惠企业管理有限公司 Method and device for detecting Hash transfer attack behavior and computer equipment
CN112383535B (en) * 2020-11-10 2022-10-25 平安普惠企业管理有限公司 Method and device for detecting Hash transfer attack behavior and computer equipment
CN112667730A (en) * 2021-01-13 2021-04-16 永辉云金科技有限公司 External data verification method, system, equipment and storage medium
CN112667730B (en) * 2021-01-13 2023-04-07 永辉云金科技有限公司 External data verification method, system, equipment and storage medium
CN114579517A (en) * 2022-02-28 2022-06-03 浪潮云信息技术股份公司 A system for CDN node file pre-storage based on collaborative filtering algorithm

Also Published As

Publication number Publication date
CN106453352B (en) 2020-04-17

Similar Documents

Publication Publication Date Title
CN106453352A (en) Single-system multi-platform authentication method
CN112218294B (en) 5G-based access method and system for Internet of things equipment and storage medium
CN103944900B (en) It is a kind of that attack prevention method and its device are asked across station based on encryption
US9853964B2 (en) System and method for authenticating the legitimacy of a request for a resource by a user
CN102201915B (en) A terminal authentication method and device based on single sign-on
CN103179134A (en) Single sign on method and system based on Cookie and application server thereof
CN107612889B (en) Method for preventing user information leakage
CN114900338A (en) Encryption and decryption method, device, equipment and medium
CN102217280B (en) User service authentication method, system and server
JP2012527179A (en) HTTP-based authentication
CN107579991A (en) A kind of method that high in the clouds protection certification is carried out to client, server and client side
CN112000951A (en) Access method, device, system, electronic equipment and storage medium
CN110838920B (en) Password authentication and key agreement protocol in web system without storing password related information
CN110166453A (en) A kind of interface authentication method, system and storage medium based on SE chip
CN110336807A (en) A kind of identity identifying method based on Web service, equipment and storage medium
CN116108416A (en) Application program interface safety protection method and system
CN104579657A (en) Method and device for identity authentication
CN113872992A (en) Method for realizing strong security authentication of remote Web access in BMC system
CN115473668A (en) Data verification method and device
CN106534196A (en) An Authentication Method Against Password Guessing Replay Attack
Putro et al. Implementation of the park schema on user authentication services using password-based web codeigniter library to overcome man in the middle attack
Gajek et al. Stronger TLS bindings for SAML assertions and SAML artifacts
CN116527341A (en) Client-side calling rear-end interface authentication authorization security method
CN107809408A (en) Third party logs in leak and solves method in a kind of android system
CN113395275A (en) Cloud platform safety protection function control method, system and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant