CN107835193A - A kind of safety communication system and method based on signature mechanism - Google Patents
A kind of safety communication system and method based on signature mechanism Download PDFInfo
- Publication number
- CN107835193A CN107835193A CN201711238246.2A CN201711238246A CN107835193A CN 107835193 A CN107835193 A CN 107835193A CN 201711238246 A CN201711238246 A CN 201711238246A CN 107835193 A CN107835193 A CN 107835193A
- Authority
- CN
- China
- Prior art keywords
- request
- signature
- key
- nonce
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The present invention relates to a kind of safety communication system and method based on signature mechanism, it is characterised in that including the key management module that asks for an autograph, asks playback duration segment management module and request safety check module;The described key management module that asks for an autograph creates for communication two party communicates the signature key used, and signature key includes key and secret, and signature key is taken care of by communication two party, if leakage needs re-create;Described request playback duration segment management module is used for whether the packet that server end identification receives to be the packet sent in effective period of time;Described request safety check module realizes that client sends signature packet, and received server-side simultaneously carries out signature comparison, contrasts and successfully then let pass, and the request is then rejected in contrast failure.
Description
Technical field
The invention belongs to communication technique field, is related to a kind of safety communication system and method, especially a kind of based on signature
The safety communication system and method for mechanism.
Background technology
In recent years, with the continuous popularization of the Internet, applications, the communication between computer seems more and more important, asks safely
Topic is also more and more prominent.Communication between computer typically uses various communications protocol, such as:ICP/IP protocol, udp protocol,
Http protocol, File Transfer Protocol, TELNET agreements etc..
TPC/IP agreements are transport layer protocols, mainly solve how data are transmitted in a network, and HTTP is application layer association
View, mainly solve how packaged data.But problem is all suffered from based on both communications, hacker can easily pass through
Packet catcher(Such as:fiddler)Request message data are captured, carry out following destructive activity:
Repeat to send identical message, the business of realization repeats;
Message is intercepted, is resend after distorting message content, the business of realization repeats.
For customer service, these behaviors can cause an immeasurable loss, such as:Recharging service is repeatedly supplemented with money, in mail
Appearance is tampered.This is the deficiencies in the prior art part.
Therefore, for drawbacks described above of the prior art, there is provided a kind of safety communication system based on signature mechanism of design
And method;To solve above-mentioned technical problem, it is necessary.
The content of the invention
It is an object of the present invention in view of the above-mentioned drawbacks of the prior art, providing design one kind is based on signature mechanism
Safety communication system and method, to solve above-mentioned technical problem.
To achieve the above object, the present invention provides following technical scheme:
A kind of safety communication system based on signature mechanism, it is characterised in that including the key management module that asks for an autograph, request weight
Put period management module and request safety check module;
The described key management module that asks for an autograph creates for communication two party communicates the signature key used, and signature key includes
Key and secret, signature key are taken care of by communication two party, if leakage needs re-create;
Described request playback duration segment management module is used for whether the packet that server end identification receives to be effective period of time
The packet of interior transmission;
Described request safety check module realizes that client sends signature packet, and received server-side simultaneously carries out signature pair
Than contrasting and successfully then letting pass, the request is then rejected in contrast failure.
A kind of safe communication method based on signature mechanism, it is characterised in that comprise the following steps:
S1:Client initiates request;
S2:Service end replay detection:Service end receives request, carries out replay detection, and request is then kicked out of in replay detection failure;
S3:Service end signature compares, the request that replay detection passes through, and continues to participate in signature comparison, the request for comparing failure is kicked
Go out.
Preferably, in step S1, herein below is carried in request message head:
Carry signature key key, key mark legitimate client, for service end according to corresponding to being searched key secret;
Carry the signature SignA generated using secret corresponding to key to request message data;
Carry and initiate request time timestamp, judge whether request is expired for service end, the time participates in signature calculation;
Carry the random number nonce that generates when initiating request, for service end judge request whether playback request, the random number joins
With signature calculation.
Preferably, step S2 comprises the following steps:
S21:Timestamp inspections are carried out, timestamp is the time point that client initiates request;
What Timestamp was checked comprises the concrete steps that:Compare server current time and client request initiates time timestamp
Compare;
If both within the valida_time periods, continue nonce inspections, otherwise decision request is invalid, and kicking out of please
Ask.
Because once normal HTTP request, from being issued to up to server typically all without more than configurable time threshold
valid_time(Such as:15 minutes or 60 seconds), so after server receives HTTP request, first determine whether timestamp parameter with working as
The preceding time compares, if has exceeded above-mentioned time threshold valid_time, has then been considered illegal request if more than.
S2:Nonce inspections are carried out, nonce is the random string of client transmission, to be ensured when client is asked every time
The parameter wants unique one and difference, such as:It is that uuid or timestamp add client ip addresses, mac addresses that the parameter, which can be constructed,
The value after Hash is done etc. information, as nonce parameters;By the nonce parameters asked every time storage in one " set ", such as:
Json forms are stored into distributed caching or database;
When the specific practice that nonce is checked is HTTP request per treatment, judge the nonce parameters of the request whether in the " collection
Close " in, if there is illegal request is then considered, if it does not, just this nonce parameters are registered in " set "
In.
Preferably, step S3 includes step in detail below:
S31:The key carried in request message is taken out, secret corresponding to the key is searched from local;
S32:According to request bag, the construction signature algorithm input consistent with client, signature SignB is calculated;
It is to be noted here that timestamp and nonce will participate in the signature calculation of service end and client.
S33:SignA and SignB is compared, is otherwise exactly forgery or tampered request if being exactly unanimously legitimate request.
Service end compares the request that signature passes through, and can carry out subsequent treatment, such as:Service end business logic processing etc..
The beneficial effects of the present invention are distort and ask playback problem, using timestamp, nonce ratio for request
To mechanism, signature mechanism, request interception mechanism, the request and the request of playback that efficient identification is forged, and support signature algorithm can
Extension, has higher practicality and versatility.
In addition, design principle of the present invention is reliable, and it is simple in construction, there is very extensive application prospect.
As can be seen here, the present invention compared with prior art, has prominent substantive distinguishing features and significantly improved, it is implemented
Beneficial effect be also obvious.
Brief description of the drawings
Fig. 1 is a kind of functional block diagram of safety communication system based on signature mechanism provided by the invention.
Fig. 2 is the key management module that asked for an autograph in a kind of safety communication system based on signature mechanism provided by the invention
Communication schematic diagram.
Fig. 3 is request playback duration segment management mould in a kind of safety communication system based on signature mechanism provided by the invention
The communication schematic diagram of block.
Fig. 4 is that leading to for safety check module is asked in a kind of safety communication system based on signature mechanism provided by the invention
Interrogate schematic diagram.
Embodiment
Below in conjunction with the accompanying drawings and the present invention will be described in detail by specific embodiment, and following examples are to the present invention
Explanation, and the invention is not limited in implementation below.
As shown in Figures 1 to 4, a kind of safety communication system based on signature mechanism provided by the invention, it is characterised in that bag
The key management module that asks for an autograph is included, asks playback duration segment management module and request safety check module;
The described key management module that asks for an autograph creates for communication two party communicates the signature key used, and signature key includes
Key and secret, signature key are taken care of by communication two party, if leakage needs re-create;
Described request playback duration segment management module is used for whether the packet that server end identification receives to be effective period of time
The packet of interior transmission;
Described request safety check module realizes that client sends signature packet, and received server-side simultaneously carries out signature pair
Than contrasting and successfully then letting pass, the request is then rejected in contrast failure.
The present invention gives a kind of safe communication method based on signature mechanism, it is characterised in that comprises the following steps:
S1:Client initiates request;
S2:Service end replay detection:Service end receives request, carries out replay detection, and request is then kicked out of in replay detection failure;
S3:Service end signature compares, the request that replay detection passes through, and continues to participate in signature comparison, the request for comparing failure is kicked
Go out.
In the present embodiment, in step S1, herein below is carried in request message head:
Carry signature key key, key mark legitimate client, for service end according to corresponding to being searched key secret;
Carry the signature SignA generated using secret corresponding to key to request message data;
Carry and initiate request time timestamp, judge whether request is expired for service end, the time participates in signature calculation;
Carry the random number nonce that generates when initiating request, for service end judge request whether playback request, the random number joins
With signature calculation.
In the present embodiment, step S2 comprises the following steps:
S21:Timestamp inspections are carried out, timestamp is the time point that client initiates request;
What Timestamp was checked comprises the concrete steps that:Compare server current time and client request initiates time timestamp
Compare;
If both within the valida_time periods, continue nonce inspections, otherwise decision request is invalid, and kicking out of please
Ask.
Because once normal HTTP request, from being issued to up to server typically all without more than configurable time threshold
valid_time(Such as:15 minutes or 60 seconds), so after server receives HTTP request, first determine whether timestamp parameter with working as
The preceding time compares, if has exceeded above-mentioned time threshold valid_time, has then been considered illegal request if more than.
S2:Nonce inspections are carried out, nonce is the random string of client transmission, to be ensured when client is asked every time
The parameter wants unique one and difference, such as:It is that uuid or timestamp add client ip addresses, mac addresses that the parameter, which can be constructed,
The value after Hash is done etc. information, as nonce parameters;By the nonce parameters asked every time storage in one " set ", such as:
Json forms are stored into distributed caching or database;
When the specific practice that nonce is checked is HTTP request per treatment, judge the nonce parameters of the request whether in the " collection
Close " in, if there is illegal request is then considered, if it does not, just this nonce parameters are registered in " set "
In.
In the present embodiment, step S3 includes step in detail below:
S31:The key carried in request message is taken out, secret corresponding to the key is searched from local;
S32:According to request bag, the construction signature algorithm input consistent with client, signature SignB is calculated;
It is to be noted here that timestamp and nonce will participate in the signature calculation of service end and client.
S33:SignA and SignB is compared, is otherwise exactly forgery or tampered request if being exactly unanimously legitimate request.
Service end compares the request that signature passes through, and can carry out subsequent treatment, such as:Service end business logic processing etc..
Disclosed above is only the preferred embodiment of the present invention, but the present invention is not limited to this, any this area
What technical staff can think does not have creative change, and some improvement made without departing from the principles of the present invention and
Retouching, should all be within the scope of the present invention.
Claims (5)
1. a kind of safety communication system based on signature mechanism, it is characterised in that including the key management module that asks for an autograph, request
Playback duration segment management module and request safety check module;
The described key management module that asks for an autograph creates for communication two party communicates the signature key used, and signature key includes
Key and secret, signature key are taken care of by communication two party, if leakage needs re-create;
Described request playback duration segment management module is used for whether the packet that server end identification receives to be effective period of time
The packet of interior transmission;
Described request safety check module realizes that client sends signature packet, and received server-side simultaneously carries out signature pair
Than contrasting and successfully then letting pass, the request is then rejected in contrast failure.
2. a kind of safe communication method based on signature mechanism, it is characterised in that comprise the following steps:
S1:Client initiates request;
S2:Service end replay detection:Service end receives request, carries out replay detection, and request is then kicked out of in replay detection failure;
S3:Service end signature compares, the request that replay detection passes through, and continues to participate in signature comparison, the request for comparing failure is kicked
Go out.
A kind of 3. safe communication method based on signature mechanism according to claim 2, it is characterised in that in step S1,
Herein below is carried in request message head:
Carry signature key key, key mark legitimate client, for service end according to corresponding to being searched key secret;
Carry the signature SignA generated using secret corresponding to key to request message data;
Carry and initiate request time timestamp, judge whether request is expired for service end, the time participates in signature calculation;
Carry the random number nonce that generates when initiating request, for service end judge request whether playback request, the random number joins
With signature calculation.
A kind of 4. safe communication method based on signature mechanism according to Claims 2 or 3, it is characterised in that step S2
Comprise the following steps:
S21:Timestamp inspections are carried out, timestamp is the time point that client initiates request;
What Timestamp was checked comprises the concrete steps that:Compare server current time and client request initiates time timestamp
Compare;
If both within the valida_time periods, continue nonce inspections, otherwise decision request is invalid, and kicking out of please
Ask;
S2:Nonce inspections are carried out, nonce is the random string of client transmission, to ensure the ginseng when client is asked every time
Number wants unique one and difference;By the nonce parameters asked every time storage in one " set ";
When the specific practice that nonce is checked is HTTP request per treatment, judge the nonce parameters of the request whether in the " collection
Close " in, if there is illegal request is then considered, if it does not, just this nonce parameters are registered in " set "
In.
5. a kind of safe communication method based on signature mechanism according to claim 4, it is characterised in that step S3 includes
Step in detail below:
S31:The key carried in request message is taken out, secret corresponding to the key is searched from local;
S32:According to request bag, the construction signature algorithm input consistent with client, signature SignB is calculated;
S33:SignA and SignB is compared, is otherwise exactly forgery or tampered request if being exactly unanimously legitimate request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711238246.2A CN107835193A (en) | 2017-11-30 | 2017-11-30 | A kind of safety communication system and method based on signature mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711238246.2A CN107835193A (en) | 2017-11-30 | 2017-11-30 | A kind of safety communication system and method based on signature mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107835193A true CN107835193A (en) | 2018-03-23 |
Family
ID=61646796
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711238246.2A Pending CN107835193A (en) | 2017-11-30 | 2017-11-30 | A kind of safety communication system and method based on signature mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107835193A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108632044A (en) * | 2018-04-27 | 2018-10-09 | 济南浪潮高新科技投资发展有限公司 | A kind of information interaction system based on Self-certified code |
| CN109639672A (en) * | 2018-12-11 | 2019-04-16 | 北京首汽智行科技有限公司 | The method and system for preventing Replay Attack based on JWT data |
| CN109818746A (en) * | 2018-12-28 | 2019-05-28 | 深圳竹云科技有限公司 | A kind of method of safe offer restful interface |
| CN110719259A (en) * | 2019-09-12 | 2020-01-21 | 视联动力信息技术股份有限公司 | Data processing method and video networking system |
| CN115412282A (en) * | 2022-06-28 | 2022-11-29 | 浪潮云信息技术股份公司 | Message security check method based on MQTT protocol |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012040377A1 (en) * | 2010-09-21 | 2012-03-29 | Visa International Service Association | Device enrollment system and method |
| CN103139200A (en) * | 2013-01-06 | 2013-06-05 | 深圳市元征科技股份有限公司 | Single sign-on method of web service |
| CN103391292A (en) * | 2013-07-18 | 2013-11-13 | 百度在线网络技术(北京)有限公司 | Mobile-application-oriented safe login method, system and device |
| CN107135073A (en) * | 2016-02-26 | 2017-09-05 | 北京京东尚科信息技术有限公司 | Interface interchange method and apparatus |
-
2017
- 2017-11-30 CN CN201711238246.2A patent/CN107835193A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012040377A1 (en) * | 2010-09-21 | 2012-03-29 | Visa International Service Association | Device enrollment system and method |
| CN103139200A (en) * | 2013-01-06 | 2013-06-05 | 深圳市元征科技股份有限公司 | Single sign-on method of web service |
| CN103391292A (en) * | 2013-07-18 | 2013-11-13 | 百度在线网络技术(北京)有限公司 | Mobile-application-oriented safe login method, system and device |
| CN107135073A (en) * | 2016-02-26 | 2017-09-05 | 北京京东尚科信息技术有限公司 | Interface interchange method and apparatus |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108632044A (en) * | 2018-04-27 | 2018-10-09 | 济南浪潮高新科技投资发展有限公司 | A kind of information interaction system based on Self-certified code |
| CN109639672A (en) * | 2018-12-11 | 2019-04-16 | 北京首汽智行科技有限公司 | The method and system for preventing Replay Attack based on JWT data |
| CN109818746A (en) * | 2018-12-28 | 2019-05-28 | 深圳竹云科技有限公司 | A kind of method of safe offer restful interface |
| CN110719259A (en) * | 2019-09-12 | 2020-01-21 | 视联动力信息技术股份有限公司 | Data processing method and video networking system |
| CN115412282A (en) * | 2022-06-28 | 2022-11-29 | 浪潮云信息技术股份公司 | Message security check method based on MQTT protocol |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107835193A (en) | A kind of safety communication system and method based on signature mechanism | |
| WO2022052493A1 (en) | 5g-based internet of things device access method and system, and storage medium | |
| WO2021203733A1 (en) | Power edge gateway device and device-based sensor data uplink storage method | |
| Belenky et al. | On deterministic packet marking | |
| US9356958B2 (en) | Apparatus and method for protecting communication pattern of network traffic | |
| Barbareschi et al. | A PUF-based mutual authentication scheme for cloud-edges IoT systems | |
| CN107508847A (en) | One kind connection method for building up, device and equipment | |
| CN103347016A (en) | Attack defense method | |
| CN103313429A (en) | Processing method for recognizing fabricated WIFI (Wireless Fidelity) hotspot | |
| CN109104432B (en) | Information transmission safety method based on JWT protocol | |
| JP2016036095A (en) | Controller and attacker detection method thereof | |
| Xing et al. | Research on the defense against ARP spoofing attacks based on Winpcap | |
| Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
| CN105391690B (en) | A kind of network interception defence method and system based on POF | |
| Peng et al. | Privacy protection based on key-changed mutual authentication protocol in internet of things | |
| CN111917706A (en) | Method for identifying NAT equipment and determining number of terminals behind NAT | |
| CN106302539A (en) | A kind of embedded type WEB safety certifying method | |
| CN104735050B (en) | A kind of fusion mac certifications and the authentication method of web authentication | |
| CN206461664U (en) | A kind of data collecting system | |
| CN103560998A (en) | Method and system for wireless sensor network to resist DoS attacks | |
| CN111510302A (en) | Method and system for improving certificate verification efficiency in secure communication protocol | |
| CN102136956A (en) | Monitoring method and system for detecting network communication behaviors | |
| CN113839837A (en) | Ethernet shop transaction tracing method based on network delay correction | |
| Fan et al. | Security of a new lightweight authentication and key agreement protocol for internet of things | |
| Lu et al. | Research on the characteristics and blocking realization of Skype protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200519 Address after: Building S01, Inspur Science Park, No. 1036, Inspur Road, high tech Zone, Jinan City, Shandong Province, 250000 Applicant after: Tidal Cloud Information Technology Co.,Ltd. Address before: 450000 Henan province Zheng Dong New District of Zhengzhou City Xinyi Road No. 278 16 floor room 1601 Applicant before: ZHENGZHOU YUNHAI INFORMATION TECHNOLOGY Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180323 |