CN106453352A - Single-system multi-platform authentication method - Google Patents

Single-system multi-platform authentication method Download PDF

Info

Publication number
CN106453352A
CN106453352A CN201610933435.0A CN201610933435A CN106453352A CN 106453352 A CN106453352 A CN 106453352A CN 201610933435 A CN201610933435 A CN 201610933435A CN 106453352 A CN106453352 A CN 106453352A
Authority
CN
China
Prior art keywords
client
ciphertext
client computer
server
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610933435.0A
Other languages
Chinese (zh)
Other versions
CN106453352B (en
Inventor
余景寰
唐雪飞
李源
李贞昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201610933435.0A priority Critical patent/CN106453352B/en
Publication of CN106453352A publication Critical patent/CN106453352A/en
Application granted granted Critical
Publication of CN106453352B publication Critical patent/CN106453352B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a single-system multi-platform authentication method. The single-system multi-platform authentication method comprises the following steps: S1, acquiring a user name and a user cipher by a server, wherein the user name and the user cipher are used when a client computer is registered; S2, receiving an access request and cryptograph sent from the client computer by the server; S3, verifying the cryptograph by the server, and if verification is successful, entering the step S4, and if not, executing a first adjusting scheme; S4, analyzing the cryptograph the server, and according to the protocol content of each client computer, deciding whether errors exist in the current operation, and if no error exists, entering the step S5, and if not, executing a second adjusting scheme; and S5, returning a receipt about allowing the client computer to access the restricted resource by the server, and re-encrypting the message. The single-system multi-platform authentication method does not leave the client information on the server, and is circulated in the encryption mode, and as attack alarm can be produced because of modifying characters and using a crawler engine to hit the database or using overdue cryptograph, the risk of using buffer can be reduced and a session fixation attack risk caused by using of the session can be effectively reduced.

Description

A kind of multi-platform auth method of single system
Technical field
The invention belongs to identity validation technology field, particularly to a kind of multi-platform auth method of single system.
Background technology
Four kinds of authentication modes are included in Web:Basic, Form, Digest, SSL:
1st, Basic (HTTP 1.0 proposes)
After certain resource of client request, server can send the response of 401 (unauthorized), carries in the response Realm information represents using Basic certification.
Browser can eject a frame after receiving this response, inputs username and password.Point is cancelled expression cancellation and is recognized Card, point determination can submit user name, password to server.The mode submitted to is to add in HTTP head:
WWW-Authorization:Basic XXXXXXX
Basic is followed by the BASE64 coding of user name, password.In client programming, the construction of this section of content is:
String cre=userName+ ":"+password
Base64encode(cre);
add to request header with"WWW-Authroization".
2、Form
Form is exactly to submit data on the page in the form of Form to, GET or POST. can also be submitted to using AJAX and recognize Card information.
3rd, Digest (HTTP 1.1 is most basic)
In order to prevent Replay Attack, using digest access authentication.After client sends a request, receive 401 message, A unique character string is also included in message:Nonce, request is all different every time.As,
HTTP/1.1 401Unauthorized
WWW-Authenticate:Digest
Realm=" xxxxxxx ",
Qop=" auth, auth-int ",
Nonce=" -- base code-- ",
Opaque=" -- base code-- "
Now user name, password, nonce, HTTP Method and URI are hashed for check value basis and (are write from memory by client Think MD5) summary return to server.5 parts that head response must include:
realm:Field, the possible password of different field is different
nonce:Challenging value
username:User name
digest-uri:Request URI
response:Summary part
Server end then calculates the summary in new a summary and request according to the password that the information receiving adds storage Relatively, because each nonce can become, it is difficult to accomplish Replay Attack.
4、SSL
Ssl protocol is located between TCP/IP and application protocol, ensures the safety of data communication based on public key system.SSL Agreement can be divided into two-layer:SSL record protocol (SSL Record Protocol):It is set up at reliable host-host protocol (as TCP) On, the support of the basic functions such as data encapsulation, compression, encryption is provided for upper-layer protocol.Ssl handshake protocol (SSL Handshake Protocol):It sets up on SSL record protocol, for, before actual data transfer starts, communication is double Fang Jinhang authentication, consulted encryption algorithm, exchange encryption key etc..
The service that ssl protocol provides mainly has:
1) certification user server is it is ensured that data is activation is to correct client-server;
2) encryption data is to prevent data midway to be stolen;
3) safeguard the integrity of data it is ensured that data is not changed in transmitting procedure.
In above 4 kinds basic verification modes, maximum problem is located is can only to maintain from the aspect of data encryption and session The certification of identity, but system for content that cannot synchronously between each different platform.Secondly it is impossible to the login failure row of identifying user Or actually caused by attack by faulty operation with conversation failure flow process.
Content of the invention
It is an object of the invention to overcoming the deficiencies in the prior art, provide one kind will not leave client's letter on the server Breath, using cipher mode circulation, is changed character, is hit storehouse using reptile engine or all can produce attack police using expired ciphertext Accuse, can effectively reduce the session cause using the risk of caching and using session session and fix risk of attacks, it is possible to increase body The efficiency of part checking and the multi-platform auth method of single system of safety.
The purpose of the present invention is achieved through the following technical solutions:A kind of multi-platform auth method of single system, Comprise the following steps:
S1, server obtain the user name using during client logon and user cipher, and then accessing database lookup should User whether there is, if existing, provides ciphertext for this user, otherwise points out mistake and requires client computer again to log in;
The access request for restriction resource that S2, server subscribing client send, and the ciphertext that receive user is submitted to;
S3, server authentication ciphertext, enter step S4 after being proved to be successful, checking is unsuccessful, executes the first Adjusted Option;
S4, server parsing ciphertext, the client information inquiry relevant field content being accessed according to request, according to each client The protocol contents of machine determine that current operation whether there is mistake, then enter step S5 without mistake, otherwise execution second tune Perfect square case;
S5, server return and allow client computer to access the receipt limiting resource, and encrypted cipher text again, and encryption is completed Ciphertext resends to client computer.
Further, described step S1 specifically includes following sub-step:
S11, server obtain the user name using during client logon and user cipher, access this user of database lookup Whether there is, if existing, execution step S12, otherwise pointing out mistake and requiring client computer again to log in;
S12, extract this client objects from data base, extract token field, if token field is sky, execute step Rapid S13, otherwise execution step S14;
S13, use put method, by the identification information of current client, current time stamp, current log in the flat of client computer Station information is added to a string characters string in figure, string characters string figure is encrypted to ciphertext, inserts caching;
S14, parsing token field, token field is reduced in plain text, extract from the stem asking the message logging in Agent field, accesses specific field as key assignments, is revised as given content;Change again LastLogin field be current when Between stab;It is encrypted to ciphertext after having changed, insert caching;
S15, return login successfully information, and stem ciphertext being added to returned packet is idle as client requests access The ciphertext voucher of resource.
Further, described step S13 ciphering process includes following sub-step:
S131, the device type of acquisition client computer, it is possible to use the content obtaining in DeviceFamily NameSpace, make Added in string characters string figure SecretMap with put method, key assignments is:device;
S132, acquisition present procedure are coated the time of installation, it is possible to use the content obtaining in Package NameSpace, Added in string characters string figure SecretMap using put method, key assignments is:install;
S133, acquisition system time, are added in string characters string figure SecretMap using put method, key assignments is: send;
S134, with JSON form by string characters string figure SecretMap encrypt, the cipher of use is by during program development Definition, is preserved by client-server hard coded.
Further, in described step S3, checking ciphertext includes following sub-step:
S31, server parse the header information of HTTP request message, extract indentification protocol agreement field therein, extract Successful execution S32, otherwise executes S36;
S32, the indentification protocol extracted agreement field is decrypted, obtains the structure of character string-character string figure, claim it For StatusMap, extract the client proxy field in HTTP request message, obtain the platform residing for client computer successively;
S33, judge client computer use platform, if web platform then execution step S331, if non-web platform is then held Row step S333;
S331, from StatusMap extract web field as checking content, analyse whether that protocol contents mistake occurs, if Protocol contents are errorless, carry out step S332;If protocol contents are wrong, reported an error, and reported a protocol contents mistake note Record, then execution step S34;
S332, judge protocol contents whether time-out compared with current time stamp, then reported an error if there is time-out, and report Accuse a time-out error record, then execution step S34;If having not timed out, update intervalometer, then execution step S35;
S333, extraction response field, as checking content, are safeguarded lasting log-on message according to respective protocol contents, are judged to step on Whether land information is proved to be successful, if being proved to be successful, execution step S35;Otherwise reported an error, and reported that once logging in mistake remembers Record, then execution step S34;
S34, prompting Client Error information, and require again to log in;
S35, regenerate message, and according to the protocol contents of server and client computer, message is encrypted, will be new Message adds the pretoken field in server response message;
S36, indentification protocol agreement field or indentification protocol agreement field authentication failed cannot be extracted it is meant that employing Phase protocol massages, represent and receive the fixing attack pattern of session, and server produces attacks warning, is placed into server log;
Client identity information content in S37, extraction StatusMap, and as the token in service logic.
Further, the first Adjusted Option in described step S3 is specially:Analysis verification result, checks whether to exist close Civilian syntax error, if existing, producing and attacking warning, current agent information and IP address information are inserted dangerous client source simultaneously Export in daily record, and point out error message it is desirable to client computer provides ciphertext again;
If there is not ciphertext syntax error, check the solicited message in HTTP message section, agent and IP in analysis message Whether address, from dangerous client source, if it is produces and attacks warning, and by information output in daily record, then require client Ciphertext is provided again;Otherwise prompting error message is it is desirable to client provides ciphertext again.
Further, in described step S4, parsing ciphertext includes following sub-step:
Access request message and ciphertext that S41, subscribing client send, obtain the timestamp that message and ciphertext receive, It is designated as current;
S42, parsing ciphertext of being talked secretly according to agreement obtain SecretMap, if successfully resolved execution step S43, otherwise produce Attack warning, the agent information in current access request message and IP address information are inserted dangerous client source and exports day In will, point out mistake to client computer;
Send field in S43, parsing SecretMap, and compare with current, if there is current early than send Or the difference of current and send being attacked then it is assumed that hitting storehouse more than 2 times of averaging network time delays, producing and attacking warning, ought Front agent information and IP address information are inserted dangerous traveller and are exported in daily record, point out mistake;Otherwise execution step S44;
Device section in S44, parsing SecretMap and install field, by device section and install field Whether it is trusted client to this client computer of server lookup, if it is this ciphertext passes through checking, otherwise execution step S45;
S45, inspection send the operation of the client computer of access request message:If logging request is then carried to client computer Warn announcement it is desirable to client computer provides credible register to prove to be verified, after being verified, current information is added to service Stored in device, and by this client identifying be trusted client, this ciphertext pass through checking, if checking do not pass through, to work as Front online client computer sends insincere operation warning, produces simultaneously and attacks warning, by current agent information and IP address letter Breath is inserted dangerous client source and is exported in daily record, points out mistake;If client computer is carrying out its in addition to log on request He operates, and sends insincere operation warning to currently online client computer, produces attack warning simultaneously, by current agent letter Breath and IP address information are inserted dangerous client source and are exported in daily record, point out mistake.
Further, the second Adjusted Option in described step S4 is specially:Judge current erroneous type, if time-out Class mistake then points out mistake it is desirable to client computer logs in again, redirects login page;Then produce attack police if ciphertext mistake Accuse, current agent information and IP address information are inserted dangerous client source and exports in daily record, point out mistake.
The invention has the beneficial effects as follows:For tradition, the present invention remembers that User logs in state needs to leave correlation in server The safety problem of information and single system multi-platform easy the mutually crowded situation of multi-platform state occur carried out special optimization, Using the auth method of the present invention, customer information will not be left on the server, using cipher mode circulation, change word Accord with, hit storehouse using reptile engine or all can produce attack warning using expired ciphertext, can effectively reduce the risk using caching Fix risk of attacks with the session causing using session session, will not be attacked by CSRF, it is possible to increase the effect of authentication Rate and safety.
Brief description
Fig. 1 is the single system multi-platform auth method flow chart of the present invention;
Fig. 2 is the client logon flow chart of the present invention;
Fig. 3 is the encryption flow figure of the present invention;
Fig. 4 is the checking ciphertext flow chart of the present invention;
Fig. 5 is the parsing ciphertext flow chart of the present invention.
Specific embodiment
Further illustrate technical scheme below in conjunction with the accompanying drawings.
As shown in figure 1, a kind of multi-platform auth method of single system, comprise the following steps:
S1, server obtain the user name using during client logon and user cipher, and then accessing database lookup should User whether there is, if existing, provides ciphertext for this user, otherwise points out mistake and requires client computer again to log in;As Fig. 2 Shown, specifically include following sub-step:
S11, server obtain the user name using during client logon and user cipher, access this user of database lookup Whether there is, if existing, execution step S12, otherwise pointing out mistake and requiring client computer again to log in;
S12, extract this client objects from data base, extract token field, if token field is sky, execute step Rapid S13, otherwise execution step S14;
S13, use put method, by the identification information of current client, current time stamp, current log in the flat of client computer Station information is added to a string characters string in figure, string characters string figure is encrypted to ciphertext, inserts caching;
.net under framework, the agent field unification of the client of exploitation is set to UWP, the client of exploitation under Android system The unification of agent field is set to ADW, and the client agent field unification of exploitation under IOS system is set to IOS, and lower mask body name is empty Between (or claim bag) citing with UWP as reference.As shown in figure 3, described ciphering process includes following sub-step:
S131, the device type of acquisition client computer, it is possible to use the content obtaining in DeviceFamily NameSpace, make Added in string characters string figure SecretMap with put method, key assignments is:device;
S132, acquisition present procedure are coated the time of installation, it is possible to use the content obtaining in Package NameSpace, Added in string characters string figure SecretMap using put method, key assignments is:install;
S133, acquisition system time, are added in string characters string figure SecretMap using put method, key assignments is: send;
S134, with JSON form by string characters string figure SecretMap encrypt, the cipher of use is by during program development Definition, is preserved by client-server hard coded.
S14, parsing token field, token field is reduced in plain text, extract from the stem asking the message logging in Agent field, accesses specific field as key assignments, is revised as given content;Change again LastLogin field be current when Between stab;It is encrypted to ciphertext after having changed, insert caching;
S15, return login successfully information, and stem ciphertext being added to returned packet is idle as client requests access The ciphertext voucher of resource.
The access request for restriction resource that S2, server subscribing client send, and the ciphertext that receive user is submitted to;
S3, server authentication ciphertext, enter step S4 after being proved to be successful, checking is unsuccessful, executes the first Adjusted Option;
As shown in figure 4, described checking ciphertext includes following sub-step:
S31, server parse the header information of HTTP request message, extract indentification protocol agreement field therein, extract Successful execution S32, otherwise executes S36;
S32, the indentification protocol extracted agreement field is decrypted, obtains the structure of character string-character string figure, claim it For StatusMap, extract the client proxy field in HTTP request message, obtain the platform residing for client computer successively;
S33, judge client computer use platform, if web platform then execution step S331, if non-web platform is then held Row step S333;
S331, from StatusMap extract web field as checking content, analyse whether that protocol contents mistake occurs, if Protocol contents are errorless, carry out step S332;If protocol contents are wrong, reported an error, and reported a protocol contents mistake note Record, then execution step S34;
S332, judge protocol contents whether time-out compared with current time stamp, then reported an error if there is time-out, and report Accuse a time-out error record, then execution step S34;If having not timed out, update intervalometer, then execution step S35;
S333, extraction response field, as checking content, are safeguarded lasting log-on message according to respective protocol contents, are judged to step on Whether land information is proved to be successful, if being proved to be successful, execution step S35;Otherwise reported an error, and reported that once logging in mistake remembers Record, then execution step S34;
S34, prompting Client Error information, and require again to log in;
S35, regenerate message, and according to the protocol contents of server and client computer, message is encrypted, will be new Message adds the pretoken field in server response message;
S36, indentification protocol agreement field or indentification protocol agreement field authentication failed cannot be extracted it is meant that employing Phase protocol massages, represent and receive the fixing attack pattern of session, and server produces attacks warning, is placed into server log;
Client identity information content in S37, extraction StatusMap, and as the token in service logic.
Described first Adjusted Option is specially:Analysis verification result, checks whether there is ciphertext syntax error (Syntax Exception), if existing, producing and attacking warning, current agent information and IP address information are inserted dangerous client source simultaneously Export in daily record, and point out error message it is desirable to client computer provides ciphertext again;
If there is not ciphertext syntax error, check the solicited message in HTTP message section, agent and IP in analysis message Whether address, from dangerous client source, if it is produces and attacks warning, and by information output in daily record, then require client Ciphertext is provided again;Otherwise prompting error message is it is desirable to client provides ciphertext again.
S4, server parsing ciphertext, the client information inquiry relevant field content being accessed according to request, according to each client The protocol contents of machine determine that current operation whether there is mistake, then enter step S5 without mistake, otherwise execution second tune Perfect square case;
As shown in figure 5, parsing ciphertext includes following sub-step:
Access request message and ciphertext that S41, subscribing client send, obtain the timestamp that message and ciphertext receive, It is designated as current;
S42, parsing ciphertext of being talked secretly according to agreement obtain SecretMap, if successfully resolved execution step S43, otherwise produce Attack warning, the agent information in current access request message and IP address information are inserted dangerous client source and exports day In will, point out mistake to client computer;
Send field in S43, parsing SecretMap, and compare with current, if there is current early than send Or the difference of current and send being attacked then it is assumed that hitting storehouse more than 2 times of averaging network time delays, producing and attacking warning, ought Front agent information and IP address information are inserted dangerous traveller and are exported in daily record, point out mistake;Otherwise execution step S44;
Device section in S44, parsing SecretMap and install field, by device section and install field Whether it is trusted client to this client computer of server lookup, if it is this ciphertext passes through checking, otherwise execution step S45;
S45, inspection send the operation of the client computer of access request message:If logging request is then carried to client computer Warn announcement it is desirable to client computer provides credible register to prove to be verified, after being verified, current information is added to service Stored in device, and by this client identifying be trusted client, this ciphertext pass through checking, if checking do not pass through, to work as Front online client computer sends insincere operation warning, produces simultaneously and attacks warning, by current agent information and IP address letter Breath is inserted dangerous client source and is exported in daily record, points out mistake;If client computer is carrying out its in addition to log on request He operates, and sends insincere operation warning to currently online client computer, produces attack warning simultaneously, by current agent letter Breath and IP address information are inserted dangerous client source and are exported in daily record, point out mistake.
Described second Adjusted Option is specially:Judge current erroneous type, if overtime class mistake (Overtime Exception) then point out mistake it is desirable to client computer logs in again, redirect login page;If ciphertext mistake (Protocol Exception) then produce and attack warning, current agent information and IP address information are inserted dangerous client source and exports In daily record, point out mistake.
S5, server return and allow client computer to access the receipt limiting resource, and encrypted cipher text again, and encryption is completed Ciphertext resends to client computer.
Those of ordinary skill in the art will be appreciated that, embodiment described here is to aid in reader and understands this Bright principle is it should be understood that protection scope of the present invention is not limited to such special statement and embodiment.This area Those of ordinary skill can make various other each without departing from present invention essence according to these technology disclosed by the invention enlightenment Plant concrete deformation and combine, these deform and combine still within the scope of the present invention.

Claims (7)

1. a kind of multi-platform auth method of single system is it is characterised in that comprise the following steps:
S1, server obtain the user name using during client logon and user cipher, then access this user of database lookup Whether there is, if existing, providing ciphertext for this user, otherwise point out mistake and require client computer again to log in;
The access request for restriction resource that S2, server subscribing client send, and the ciphertext that receive user is submitted to;
S3, server authentication ciphertext, enter step S4 after being proved to be successful, checking is unsuccessful, executes the first Adjusted Option;
S4, server parsing ciphertext, the client information inquiry relevant field content being accessed according to request, according to each client computer Protocol contents determine that current operation whether there is mistake, then enter step S5 without mistake, otherwise execute the second adjustment side Case;
S5, server return and allow client computer to access the receipt limiting resource, and encrypted cipher text again, the ciphertext that encryption is completed Resend to client computer.
2. the multi-platform auth method of single system according to claim 1 is it is characterised in that described step S1 is specifically wrapped Include following sub-step:
S11, server obtain the user name using during client logon and user cipher, whether access this user of database lookup Exist, if existing, execution step S12, otherwise pointing out mistake and requiring client computer again to log in;
S12, extract this client objects from data base, extract token field, if token field is sky, execution step S13, otherwise execution step S14;
S13, use put method, by the identification information of current client, current time stamp, the current platform letter logging in client computer Breath is added to a string characters string in figure, string characters string figure is encrypted to ciphertext, inserts caching;
S14, parsing token field, token field is reduced in plain text, extract agent word from the stem asking the message logging in Section, accesses specific field as key assignments, is revised as given content;Changing LastLogin field again is current time stamp;Repair It is encrypted to ciphertext after having changed, insert caching;
S15, return login successfully information, and stem ciphertext being added to returned packet accesses slack resources as client requests Ciphertext voucher.
3. the multi-platform auth method of single system according to claim 2 is it is characterised in that described step S13 is encrypted Process includes following sub-step:
S131, the device type of acquisition client computer, are added in string characters string figure SecretMap using put method;
S132, acquisition present procedure are coated the time of installation, add string characters string figure SecretMap using put method In;
S133, acquisition system time, are added in string characters string figure SecretMap using put method;
S134, with JSON form, string characters string figure SecretMap is encrypted, the cipher of use determined by during program development Justice, is preserved by client-server hard coded.
4. the multi-platform auth method of single system according to claim 3 is it is characterised in that verify in described step S3 Ciphertext includes following sub-step:
S31, server parse the header information of HTTP request message, extract indentification protocol agreement field therein, extract successfully Execution S32, otherwise executes S36;
S32, the indentification protocol extracted agreement field is decrypted, obtains the structure of character string-character string figure, be called StatusMap, extracts the client proxy field in HTTP request message, obtains the platform residing for client computer successively;
S33, judge client computer use platform, if web platform then execution step S331, if non-web platform then executes step Rapid S333;
S331, from StatusMap extract web field as checking content, analyse whether that protocol contents mistake occurs, if agreement Content is errorless, carries out step S332;If protocol contents are wrong, reported an error, and reported a protocol contents error logging, so Execution step S34 afterwards;
S332, judge protocol contents whether time-out compared with current time stamp, then reported an error if there is time-out, and report one Secondary time-out error record, then execution step S34;If having not timed out, update intervalometer, then execution step S35;
S333, extraction response field, as checking content, safeguard lasting log-on message according to respective protocol contents, judge to log in letter Whether breath is proved to be successful, if being proved to be successful, execution step S35;Otherwise reported an error, and report and once log in error logging, so Execution step S34 afterwards;
S34, prompting Client Error information, and require again to log in;
S35, regenerate message, and according to the protocol contents of server and client computer, message is encrypted, by new message Add the pretoken field in server response message;
S36, indentification protocol agreement field or indentification protocol agreement field authentication failed cannot be extracted it is meant that employing expired association View message, represents and receives the fixing attack pattern of session, and server produces attacks warning, is placed into server log;
Client identity information content in S37, extraction StatusMap, and as the token in service logic.
5. the multi-platform auth method of single system according to claim 4 it is characterised in that in described step S3 One Adjusted Option is specially:Analysis verification result, checks whether there is ciphertext syntax error, if existing, producing and attacking warning, Current agent information and IP address information are inserted dangerous client source and export in daily record, and point out error message it is desirable to Client computer provides ciphertext again;
If there is not ciphertext syntax error, check the solicited message in HTTP message section, agent and IP address in analysis message Whether from dangerous client source, if it is produce and attack warning, and by information output in daily record, then require client again Ciphertext is provided;Otherwise prompting error message is it is desirable to client provides ciphertext again.
6. the multi-platform auth method of single system according to claim 5 is it is characterised in that parse in described step S4 Ciphertext includes following sub-step:
Access request message and ciphertext that S41, subscribing client send, obtain the timestamp that message and ciphertext receive, are designated as current;
S42, parsing ciphertext of being talked secretly according to agreement obtain SecretMap, if successfully resolved execution step S43, otherwise produce and attack Warning, the agent information in current access request message and IP address information is inserted dangerous client source and exports in daily record, Point out mistake to client computer;
Send field in S43, parsing SecretMap, and is compared with current, if there is current early than send or The difference of current and send is attacked then it is assumed that being hit storehouse more than 2 times of averaging network time delays, produces and attacks warning, will be current Agent information and IP address information are inserted dangerous traveller and are exported in daily record, point out mistake;Otherwise execution step S44;
Device section in S44, parsing SecretMap and install field, by device section and install field to clothes Business device inquires about whether this client computer is trusted client, and if it is this ciphertext passes through checking, otherwise execution step S45;
S45, inspection send the operation of the client computer of access request message:If logging request then carries out prompting police to client computer Accuse it is desirable to client computer provides credible register to prove to be verified, after being verified, current information is added in server Stored, and this client identifying is trusted client, this ciphertext is passed through checking, does not pass through if verifying, exists to current The client computer of line sends insincere operation warning, produces simultaneously and attacks warning, current agent information and IP address information are put Enter dangerous client source and export in daily record, point out mistake;If client computer is carrying out other behaviour in addition to log on request Make, send insincere operation warning to currently online client computer, produce simultaneously and attack warning, by current agent information and IP address information is inserted dangerous client source and is exported in daily record, points out mistake.
7. the multi-platform auth method of single system according to claim 6 it is characterised in that in described step S4 Two Adjusted Option are specially:Judge current erroneous type, then point out mistake it is desirable to client computer is stepped on again if overtime class mistake Record, redirects login page;Then produce attack warning if ciphertext mistake, current agent information and IP address information are put Enter dangerous client source and export in daily record, point out mistake.
CN201610933435.0A 2016-10-25 2016-10-25 Single-system multi-platform identity authentication method Active CN106453352B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610933435.0A CN106453352B (en) 2016-10-25 2016-10-25 Single-system multi-platform identity authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610933435.0A CN106453352B (en) 2016-10-25 2016-10-25 Single-system multi-platform identity authentication method

Publications (2)

Publication Number Publication Date
CN106453352A true CN106453352A (en) 2017-02-22
CN106453352B CN106453352B (en) 2020-04-17

Family

ID=58177938

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610933435.0A Active CN106453352B (en) 2016-10-25 2016-10-25 Single-system multi-platform identity authentication method

Country Status (1)

Country Link
CN (1) CN106453352B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018157667A1 (en) * 2017-02-28 2018-09-07 中兴通讯股份有限公司 Method and device for generating password
CN108600209A (en) * 2018-04-16 2018-09-28 新华三信息安全技术有限公司 A kind of information processing method and device
CN111212033A (en) * 2019-12-16 2020-05-29 北京淇瑀信息科技有限公司 Page display method and device based on combined web crawler defense technology and electronic equipment
CN111222121A (en) * 2019-12-27 2020-06-02 广州芯德通信科技股份有限公司 Authorization management method for embedded equipment
CN111343191A (en) * 2020-03-03 2020-06-26 浙江大华技术股份有限公司 Session checking method and device, storage medium and electronic device
CN111626719A (en) * 2019-02-28 2020-09-04 北京沃东天骏信息技术有限公司 Click event processing method and device, storage medium and electronic equipment
CN112383535A (en) * 2020-11-10 2021-02-19 平安普惠企业管理有限公司 Method and device for detecting Hash transfer attack behavior and computer equipment
CN112667730A (en) * 2021-01-13 2021-04-16 永辉云金科技有限公司 External data verification method, system, equipment and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060520A (en) * 2006-04-21 2007-10-24 盛趣信息技术(上海)有限公司 Token-based SSO authentication system
CN101174953A (en) * 2007-03-27 2008-05-07 兰州大学 Identity authentication method based on S/Key system
CN101465735A (en) * 2008-12-19 2009-06-24 北京大学 Network user identification verification method, server and client terminal
CN101668013A (en) * 2009-03-30 2010-03-10 刘文祥 Network connection technology and system thereof
US20110265149A1 (en) * 2010-04-26 2011-10-27 Hawk And Seal, Inc. Secure and efficient login and transaction authentication using iphonestm and other smart mobile communication devices
CN102780674A (en) * 2011-05-09 2012-11-14 同方股份有限公司 Method and system for processing network service by utilizing multifactor authentication method
CN103929435A (en) * 2014-05-05 2014-07-16 中国科学院计算机网络信息中心 Credibility verification method based on DNSSEC and DANE protocols
CN103944900A (en) * 2014-04-18 2014-07-23 中国科学院计算技术研究所 Cross-station request attack defense method and device based on encryption
CN105187382A (en) * 2015-08-05 2015-12-23 西安电子科技大学 Multi-factor identity authentication method for preventing library collision attacks

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060520A (en) * 2006-04-21 2007-10-24 盛趣信息技术(上海)有限公司 Token-based SSO authentication system
CN101174953A (en) * 2007-03-27 2008-05-07 兰州大学 Identity authentication method based on S/Key system
CN101465735A (en) * 2008-12-19 2009-06-24 北京大学 Network user identification verification method, server and client terminal
CN101668013A (en) * 2009-03-30 2010-03-10 刘文祥 Network connection technology and system thereof
US20110265149A1 (en) * 2010-04-26 2011-10-27 Hawk And Seal, Inc. Secure and efficient login and transaction authentication using iphonestm and other smart mobile communication devices
CN102780674A (en) * 2011-05-09 2012-11-14 同方股份有限公司 Method and system for processing network service by utilizing multifactor authentication method
CN103944900A (en) * 2014-04-18 2014-07-23 中国科学院计算技术研究所 Cross-station request attack defense method and device based on encryption
CN103929435A (en) * 2014-05-05 2014-07-16 中国科学院计算机网络信息中心 Credibility verification method based on DNSSEC and DANE protocols
CN105187382A (en) * 2015-08-05 2015-12-23 西安电子科技大学 Multi-factor identity authentication method for preventing library collision attacks

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018157667A1 (en) * 2017-02-28 2018-09-07 中兴通讯股份有限公司 Method and device for generating password
CN108600209A (en) * 2018-04-16 2018-09-28 新华三信息安全技术有限公司 A kind of information processing method and device
CN111626719A (en) * 2019-02-28 2020-09-04 北京沃东天骏信息技术有限公司 Click event processing method and device, storage medium and electronic equipment
CN111212033A (en) * 2019-12-16 2020-05-29 北京淇瑀信息科技有限公司 Page display method and device based on combined web crawler defense technology and electronic equipment
CN111222121A (en) * 2019-12-27 2020-06-02 广州芯德通信科技股份有限公司 Authorization management method for embedded equipment
CN111222121B (en) * 2019-12-27 2022-03-11 广州芯德通信科技股份有限公司 Authorization management method for embedded equipment
CN111343191A (en) * 2020-03-03 2020-06-26 浙江大华技术股份有限公司 Session checking method and device, storage medium and electronic device
CN111343191B (en) * 2020-03-03 2022-08-16 浙江大华技术股份有限公司 Session checking method and device, storage medium and electronic device
CN112383535A (en) * 2020-11-10 2021-02-19 平安普惠企业管理有限公司 Method and device for detecting Hash transfer attack behavior and computer equipment
CN112383535B (en) * 2020-11-10 2022-10-25 平安普惠企业管理有限公司 Method and device for detecting Hash transfer attack behavior and computer equipment
CN112667730A (en) * 2021-01-13 2021-04-16 永辉云金科技有限公司 External data verification method, system, equipment and storage medium
CN112667730B (en) * 2021-01-13 2023-04-07 永辉云金科技有限公司 External data verification method, system, equipment and storage medium

Also Published As

Publication number Publication date
CN106453352B (en) 2020-04-17

Similar Documents

Publication Publication Date Title
CN106453352A (en) Single-system multi-platform authentication method
CN105554098B (en) A kind of equipment configuration method, server and system
CN108600203A (en) Secure Single Sign-on method based on Cookie and its unified certification service system
CN103391197B (en) A kind of web identity authentication based on handset token and NFC technique
CN109712278A (en) Intelligent door lock identity identifying method, system, readable storage medium storing program for executing and mobile terminal
CN104767731B (en) A kind of Restful move transactions system identity certification means of defence
CN102946384B (en) User authentication method and equipment
CN102469075A (en) Integrated authentication method based on WEB single sign-on
CN112000951B (en) Access method, device, system, electronic equipment and storage medium
CN103179134A (en) Single sign on method and system based on Cookie and application server thereof
CN106534175A (en) Open platform authorization and authentication system and method based on OAuth protocol
CN106921640A (en) Identity identifying method, authentication device and Verification System
CN109639730A (en) Information system data interface authentication method under HTTP stateless protocol based on token
CN103139200A (en) Single sign-on method of web service
CN103475666A (en) Internet of things resource digital signature authentication method
CN108259502A (en) For obtaining the identification method of interface access rights, server-side and storage medium
CN107579991A (en) A kind of method that high in the clouds protection certification is carried out to client, server and client side
US9398024B2 (en) System and method for reliably authenticating an appliance
CN110768973A (en) Signaling safety evaluation system and method based on GB35114 standard
CN110166453A (en) A kind of interface authentication method, system and storage medium based on SE chip
CN110336807A (en) A kind of identity identifying method based on Web service, equipment and storage medium
CN108111518B (en) Single sign-on method and system based on secure password proxy server
CN116108416A (en) Application program interface safety protection method and system
CN109495458A (en) A kind of method, system and the associated component of data transmission
CN106878336A (en) A kind of data interactive method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant