CN109587140B - Implementation method of dynamic password proxy gateway based on openness - Google Patents
Implementation method of dynamic password proxy gateway based on openness Download PDFInfo
- Publication number
- CN109587140B CN109587140B CN201811488974.3A CN201811488974A CN109587140B CN 109587140 B CN109587140 B CN 109587140B CN 201811488974 A CN201811488974 A CN 201811488974A CN 109587140 B CN109587140 B CN 109587140B
- Authority
- CN
- China
- Prior art keywords
- dynamic password
- proxy gateway
- uuid
- openness
- proxy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention provides a method for realizing an openness-based dynamic password proxy gateway, belonging to the field of information security. The invention solves the problem that the information of a person or an enterprise is at risk of being illegally accessed because some websites have weak passwords to access a service server at present, and the technical scheme is characterized in that: intercepting the flow to the server through the proxy gateway, judging whether the flow is subjected to dynamic password authentication, if the flow is subjected to the dynamic password authentication, accessing the service website by the proxy gateway through the original weak password, and otherwise, skipping to a dynamic authentication page. The invention has the beneficial effects that: on the premise of not changing the service, the security of the website is enhanced through the setting of the proxy gateway, the transparent deployment is realized, and the return page is modified to provide good interactivity.
Description
Technical Field
The invention relates to an information security technology, in particular to a technology of an implementation method based on an openness dynamic password proxy gateway.
Background
With the development of the internet and informatization, the number of websites is exponentially increased. However, a considerable number of websites have a problem that weak passwords access the service server, so that information of individuals or businesses is at risk of being illegally accessed.
See patent application No. CN201610142344.5, which discloses a method for enhancing identity authentication, the key points are: the application system is additionally provided with an enhanced identity authentication system, a user is provided with an asymmetric key pair or an enhanced identity authentication system for identifying a private key on a terminal, when a client and a client access, a user login page with an authentication URL address and a randomly generated challenge value C two-dimensional code picture or an enhanced authentication button is returned, and the client performs identity authentication through the two-dimensional code or the enhanced authentication button.
The application has the beneficial effect that the application system adopting the B/S mode is subjected to safety protection. Under the condition of not modifying the original application system, the method realizes the protection of the user password, so that the system has the capabilities of resisting weak passwords, password guessing, password library collision and the like. The implementation of the method ensures that the application system with the security vulnerability can also resist various attacks such as SQL injection, cross-site attack and the like initiated by users who do not log in.
However, the application provides an enhanced identity authentication system with an asymmetric key pair or an identification private key, and the application focuses on protecting the original login password and preventing others from cracking the original login password.
Disclosure of Invention
The invention aims to provide a realization method of an openness-based dynamic password proxy gateway, which solves the problem that some websites have a risk of illegal access to personal or enterprise information due to weak passwords accessing a service server at present.
The invention solves the technical problem, and adopts the technical scheme that: the implementation method based on the openness dynamic password proxy gateway comprises the following steps:
step 1, when a client requests to access a service server for the first time, the client obtains an authentication interface from a proxy gateway, inputs a dynamic password receiving mode and sends the dynamic password receiving mode to the proxy gateway;
step 2, the proxy gateway generates a random password, stores the dynamic password mode and the random dynamic password into a memory in a key value pair mode, calls a short message gateway interface and sends the random dynamic password to the client;
step 3, the client sends the dynamic password mode and the obtained random dynamic password to the proxy gateway;
step 4, the proxy gateway searches and judges whether a random dynamic password is received in the memory, if not, the proxy gateway jumps to a dynamic authentication page and enters step 1, if so, the request is proxied to the service server, namely, the client accesses the service server by the original weak password, when the response of the service server is obtained, the proxy gateway generates a global unique sequence which is marked as UUID, the UUID is stored in a response head cookie and the memory by a UXXXXXXX key value, and simultaneously, a script language of the exit link is embedded in the response body to remove the original exit link;
step 5, when the authenticated user accesses again, requesting a cookie with a key value of UUID (UUID) ═ XXXXXXX;
step 6, the proxy server searches UUID (UUID) ("XXXXXXX") in the memory, if the UUID is found, the proxy server proxies the request to the service server to obtain the response of the service server, stores the key value of UUID ═ XXXXX "in the response head cookie, and embeds an exit link in the response body; if not, returning to the authentication interface and entering the step 1;
and 7, when the user clicks the exit link, sending a cookie with a key value of UUID (UUID) ("XXXXX") to the proxy server, clearing the corresponding value in the memory by the proxy server, and entering the step 6 when the user accesses the link again.
Further, in step 1, the manner of receiving the dynamic password includes a mobile phone number.
Further, in step 1, the proxy gateway is openness.
Further, in step 2, the memory uses an openness self-contained memory dictionary.
Further, in step 2, the random password generated by the proxy gateway is cleared after a specified time.
Further, the prescribed time is five minutes.
Further, in step 4, the globally unique sequence is cleared after a certain time.
Further, the certain time is six hours.
Further, in step 4, an exit linked scripting language is embedded in the response body in a cookie manner, and the memory uses an openness own memory dictionary.
Further, in step 4, a js script is embedded in the response page and is displayed to the client, where the original exit link needs to be replaced.
The invention has the advantages that by the implementation method based on the openness dynamic password proxy gateway, the proxy gateway intercepts the flow flowing to the server and judges whether the flow is subjected to dynamic password authentication, if the flow is subjected to the dynamic password authentication, the proxy gateway accesses the service website by using the original weak password, and if not, the proxy gateway jumps to the dynamic authentication page. On the premise of not changing the service, the security of the website is enhanced through the setting of the proxy gateway, the transparent deployment is realized, and the return page is modified to provide good interactivity.
Drawings
Fig. 1 is an interaction diagram of a user accessing a service source station normally through a client.
Detailed Description
The technical scheme of the invention is described in detail in the following with reference to the accompanying drawings.
The implementation method based on the openness dynamic password proxy gateway can comprise the following steps in the specific implementation process:
step 1, referring to fig. 1, when a user normally accesses a service source station through a client for the first time, the client obtains an authentication interface from a proxy gateway when the client requests to access a service server for the first time, and inputs a dynamic password receiving mode, wherein the dynamic password mode can be a mobile phone number and is sent to the proxy gateway, and the proxy gateway is preferably openness.
And 2, generating a random password by the proxy gateway, storing a dynamic password mode, namely a mobile phone number and the random dynamic password into a memory by a key value pair, calling a short message gateway interface, and sending the random dynamic password to the client, wherein the random dynamic password is key1 and can be cleared at regular time, such as five minutes, so that the random dynamic password is prevented from being cracked, and the memory preferentially uses an openness self-contained memory dictionary, thereby facilitating management.
And 3, the client sends the dynamic password mode, namely the mobile phone number and the obtained random dynamic password to the proxy gateway, and the obtained random dynamic password is recorded as key 1'.
Step 4, the proxy gateway searches in the memory and judges whether a random dynamic password key 1' is received, if not, the proxy gateway jumps to a dynamic authentication page, step 1 is entered, the memory preferably uses an openness self-contained memory to facilitate management, if the dictionary is found, the request is proxied to the service server, namely, the client accesses the service server by using an original weak password, when the response of the service server is obtained, the proxy gateway generates a global unique sequence which is marked as UUID, the UUID is stored in a response head cookie and the memory by using a UXXXXX key value, and simultaneously a script language of a quit link is embedded in a response body in a cookie mode to remove the original quit link, the global unique sequence is cleared after a certain time to avoid being cracked, and the certain time is preferably six hours. In step 4, js script is embedded in the response page and is displayed to the client, and the original exit link is required to be replaced.
And step 5, when the authenticated user accesses again, requesting a cookie with a key value of UUID (UUID) ═ XXXXX.
Step 6, the proxy server searches UUID (UUID) ("XXXXXXX") in the memory, if the UUID is found, the proxy server proxies the request to the service server to obtain the response of the service server, stores the key value of UUID ═ XXXXX "in the response head cookie, and embeds an exit link in the response body; if not, returning to the authentication interface and entering the step 1.
And 7, when the user clicks the exit link, sending a cookie with a key value of UUID (UUID) ("XXXXX") to the proxy server, clearing the corresponding value in the memory by the proxy server, and entering the step 6 when the user accesses the link again.
Claims (10)
1. The implementation method based on the openness dynamic password proxy gateway is characterized by comprising the following steps:
step 1, when a client requests to access a service server for the first time, the client obtains an authentication interface from a proxy gateway, inputs a dynamic password receiving mode and sends the dynamic password receiving mode to the proxy gateway;
step 2, the proxy gateway generates a random password, stores the dynamic password mode and the random dynamic password into a memory in a key value pair mode, calls a short message gateway interface and sends the random dynamic password to the client;
step 3, the client sends the dynamic password mode and the obtained random dynamic password to the proxy gateway;
step 4, the proxy gateway searches and judges whether a random dynamic password is received in the memory, if not, the proxy gateway jumps to a dynamic authentication page and enters step 1, if so, the request is proxied to the service server, namely, the client accesses the service server by the original weak password, when the response of the service server is obtained, the proxy gateway generates a global unique sequence which is marked as UUID, the UUID is stored in a response head cookie and the memory by a UXXXXXXX key value, and simultaneously, a script language of the exit link is embedded in the response body to remove the original exit link;
step 5, when the authenticated user accesses again, requesting a cookie with a key value of UUID (UUID) ═ XXXXXXX;
step 6, the proxy server searches UUID (UUID) ("XXXXXXX") in the memory, if the UUID is found, the proxy server proxies the request to the service server to obtain the response of the service server, stores the key value of UUID ═ XXXXX "in the response head cookie, and embeds an exit link in the response body; if not, returning to the authentication interface and entering the step 1;
and 7, when the user clicks the exit link, sending a cookie with a key value of UUID (UUID) ("XXXXX") to the proxy server, clearing the corresponding value in the memory by the proxy server, and entering the step 6 when the user accesses the link again.
2. The implementation method of the openness-based dynamic password proxy gateway as claimed in claim 1, wherein in step 1, the manner of receiving the dynamic password includes a mobile phone number.
3. The method for implementing an openness-based dynamic password proxy gateway as claimed in claim 1, wherein in step 1, the proxy gateway is openness.
4. The method for implementing an openness-based dynamic password proxy gateway as claimed in claim 1 or 3, wherein in step 2, the memory uses an openness-owned memory dictionary.
5. The method as claimed in claim 1, wherein in step 2, the random password generated by the proxy gateway is cleared after a predetermined time.
6. The method of claim 5, wherein the predetermined time is five minutes.
7. The method as claimed in claim 1, wherein in step 4, the globally unique sequence is cleared after a certain time.
8. The method of claim 7, wherein the predetermined time is six hours.
9. The implementation method of the openness-based dynamic password proxy gateway as claimed in claim 1 or 3, wherein in step 4, an exit linked scripting language is embedded in the responder in a form of cookie, and the memory uses an openness-based memory dictionary.
10. The method as claimed in claim 1, wherein in step 4, js script is embedded in the response page and displayed to the client, where the original exit link needs to be replaced.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811488974.3A CN109587140B (en) | 2018-12-06 | 2018-12-06 | Implementation method of dynamic password proxy gateway based on openness |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811488974.3A CN109587140B (en) | 2018-12-06 | 2018-12-06 | Implementation method of dynamic password proxy gateway based on openness |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109587140A CN109587140A (en) | 2019-04-05 |
| CN109587140B true CN109587140B (en) | 2021-11-30 |
Family
ID=65927507
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811488974.3A Active CN109587140B (en) | 2018-12-06 | 2018-12-06 | Implementation method of dynamic password proxy gateway based on openness |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109587140B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110086831A (en) * | 2019-05-23 | 2019-08-02 | 智者四海(北京)技术有限公司 | Method for authenticating for gateway |
| CN114915435B (en) * | 2021-02-09 | 2024-03-19 | 网联清算有限公司 | Service data access method and system |
| CN113746941B (en) * | 2021-11-04 | 2022-02-08 | 深圳市明源云采购科技有限公司 | Method, device and storage medium for removing restriction of third-party cookie |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404305A (en) * | 2010-09-19 | 2012-04-04 | 中华电信股份有限公司 | Method for identity authentication of Internet user |
| CN103188295A (en) * | 2011-12-28 | 2013-07-03 | 上海格尔软件股份有限公司 | WEB single sign-on method completely transparent to user and application |
| CN105227571A (en) * | 2015-10-20 | 2016-01-06 | 福建六壬网安股份有限公司 | Based on web application firewall system and its implementation of nginx+lua |
| US9503452B1 (en) * | 2016-04-07 | 2016-11-22 | Automiti Llc | System and method for identity recognition and affiliation of a user in a service transaction |
| CN106209894A (en) * | 2016-07-27 | 2016-12-07 | 福建富士通信息软件有限公司 | A kind of method based on NGINX unified certification and system |
| CN106803822A (en) * | 2015-11-26 | 2017-06-06 | 北京网御星云信息技术有限公司 | The safety access method and device of network application |
| CN107438058A (en) * | 2016-05-27 | 2017-12-05 | 北京京东尚科信息技术有限公司 | The filter method and filtration system of user's request |
| CN108462671A (en) * | 2017-02-20 | 2018-08-28 | 沪江教育科技(上海)股份有限公司 | A kind of authentication protection method and system based on reverse proxy |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5826014A (en) * | 1996-02-06 | 1998-10-20 | Network Engineering Software | Firewall system for protecting network elements connected to a public network |
| CN104994102A (en) * | 2015-07-08 | 2015-10-21 | 浪潮软件股份有限公司 | Enterprise information system authentication and access control method based on reverse proxy |
-
2018
- 2018-12-06 CN CN201811488974.3A patent/CN109587140B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404305A (en) * | 2010-09-19 | 2012-04-04 | 中华电信股份有限公司 | Method for identity authentication of Internet user |
| CN103188295A (en) * | 2011-12-28 | 2013-07-03 | 上海格尔软件股份有限公司 | WEB single sign-on method completely transparent to user and application |
| CN105227571A (en) * | 2015-10-20 | 2016-01-06 | 福建六壬网安股份有限公司 | Based on web application firewall system and its implementation of nginx+lua |
| CN106803822A (en) * | 2015-11-26 | 2017-06-06 | 北京网御星云信息技术有限公司 | The safety access method and device of network application |
| US9503452B1 (en) * | 2016-04-07 | 2016-11-22 | Automiti Llc | System and method for identity recognition and affiliation of a user in a service transaction |
| CN107438058A (en) * | 2016-05-27 | 2017-12-05 | 北京京东尚科信息技术有限公司 | The filter method and filtration system of user's request |
| CN106209894A (en) * | 2016-07-27 | 2016-12-07 | 福建富士通信息软件有限公司 | A kind of method based on NGINX unified certification and system |
| CN108462671A (en) * | 2017-02-20 | 2018-08-28 | 沪江教育科技(上海)股份有限公司 | A kind of authentication protection method and system based on reverse proxy |
Non-Patent Citations (1)
| Title |
|---|
| 基于Openresty实现透明部署动态口令功能;chenjc;<https://www.freebuf.com/articles/network/150959.html》;20171029;参见正文第1-3页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109587140A (en) | 2019-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9900346B2 (en) | Identification of and countermeasures against forged websites | |
| US10491587B2 (en) | Method and device for information system access authentication | |
| Kim et al. | A design of user authentication system using QR code identifying method | |
| US8245030B2 (en) | Method for authenticating online transactions using a browser | |
| US7685631B1 (en) | Authentication of a server by a client to prevent fraudulent user interfaces | |
| CN102624739B (en) | Authentication and authorization method and system applied to client platform | |
| CN104580364B (en) | A kind of method and apparatus of resource sharing | |
| CN109587140B (en) | Implementation method of dynamic password proxy gateway based on openness | |
| US20210168611A1 (en) | Method for securely sharing a url | |
| CN103944900A (en) | Cross-station request attack defense method and device based on encryption | |
| US11770385B2 (en) | Systems and methods for malicious client detection through property analysis | |
| WO2007015253A2 (en) | Two-factor authentication employing a user's ip address | |
| CN111355726A (en) | Identity authorization login method and device, electronic equipment and storage medium | |
| US9401886B2 (en) | Preventing personal information from being posted to an internet | |
| CN112422477A (en) | Service authentication method, server, electronic device and storage medium | |
| Amro | Phishing techniques in mobile devices | |
| CN113938283B (en) | Code scanning login method, system, device, electronic equipment and storage medium | |
| US9197591B2 (en) | Method and system for validating email from an internet application or website | |
| CN109726578B (en) | Dynamic two-dimensional code anti-counterfeiting solution | |
| Wedman et al. | An analytical study of web application session management mechanisms and HTTP session hijacking attacks | |
| Fokes et al. | A survey of security vulnerabilities in social networking media: the case of Facebook | |
| US20160366172A1 (en) | Prevention of cross site request forgery attacks | |
| CN104917755A (en) | Login method based on mobile communication terminal and short message | |
| US9652621B2 (en) | Electronic transmission security process | |
| Gao et al. | A research of security in website account binding |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |