CN109756460A - A kind of anti-replay-attack method and device - Google Patents
A kind of anti-replay-attack method and device Download PDFInfo
- Publication number
- CN109756460A CN109756460A CN201711079676.4A CN201711079676A CN109756460A CN 109756460 A CN109756460 A CN 109756460A CN 201711079676 A CN201711079676 A CN 201711079676A CN 109756460 A CN109756460 A CN 109756460A
- Authority
- CN
- China
- Prior art keywords
- sequence number
- service ticket
- window
- sequence
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to mobile Internet fields, more particularly to a kind of anti-replay-attack method and device, receive the service request that client is sent, wherein, the Service Ticket and sequence number of client are included at least in service request, what the sequence number and default incremental steps carried when Serial No. client is according to last transmission service request obtained;According to preset validity period, judge whether Service Ticket is effective, and judge sequence number whether in the corresponding window of sequence numbers of Service Ticket of preservation, and whether it is not recorded, and then judge whether sequence number is legal, determine whether service request is playback request, in this way, Service Ticket is carried when client sends service request and anti-replay-attack can be realized in incremental sequence number, reduce interaction times, improve efficiency and system performance, Service Ticket inteerelated order row number is saved, and validity period is set, information storage can effectively be controlled, it can also be to avoid erroneous judgement by window of sequence numbers, stringent time synchronization is not needed yet.
Description
Technical field
The present invention relates to mobile Internet field more particularly to a kind of anti-replay-attack method and devices.
Background technique
Replay Attack (Replay Attacks) is also known as replay attack (Playback Attack) or fresh sexual assault
(Freshness Attacks) refers to that attacker intercepts and retransmit the packet that a destination host had received, to reach deception
Purpose.This attack constantly can repeat to malice or fraudulent an effective data transmission.Attacker using network monitoring or
Person's other modes steal certification authority, it is issued server again again later.Replay Attack is during any network communication
May all it occur, the various servers of network service at present are frequently subjected to the Replay Attack of attacker.
In the prior art, the method for anti-replay-attack, such as challenge-response method.This method is client request clothes
When business device, server can firstly generate a random number and return to client, then this random number access clothes on client band
Business device, server compare this parameter of client, not think it is Replay Attack if consistent, allow to access.
But in the prior art, it requires first to request server-side when each service request of client in challenge-response method
A challenge code is generated, then answer back code carries out business access again on client band, that is, client and server is needed to carry out two
Secondary interaction, reduces system performance, is a very big challenge for high concurrent systems such as servers in network.
Summary of the invention
The embodiment of the present invention provides a kind of anti-replay-attack method and device, to solve anti-replay-attack side in the prior art
Method efficiency is lower and the problem of reducing system performance.
Specific technical solution provided in an embodiment of the present invention is as follows:
A kind of anti-replay-attack method, comprising:
Receive the service request that client is sent, wherein the certification of the client is included at least in the service request
Voucher and sequence number, the sequence number carried when the Serial No. client is according to last transmission service request are incremented by with default
What step-length obtained;
According to preset validity period, the Service Ticket is judged whether within the preset validity period, if then determining
The Service Ticket is effective;
According to the corresponding window of sequence numbers of the Service Ticket of preservation, judge the sequence number whether in the sequence number
In window, and according to the corresponding sequence number accessed of the Service Ticket of record, judge the sequence number whether not by
Record, if being to be, it is determined that the sequence number is legal, and determines that the service request is not playback request.
Preferably, further comprising:
Receive the logging request that client is sent;
After determining that the proof of identity of the client passes through, Xiang Suoshu client return authentication voucher and sequence number are initial
Value, and according to preset window size and the sequence number initial value, centered on the sequence number initial value, according to described pre-
If window size, formation sequence window, and using the sequence number in the window of sequence numbers as the Service Ticket pair
The sequence number answered, and save the Service Ticket and the corresponding window of sequence numbers of the Service Ticket.
Preferably, further comprising:
If it is determined that the sequence number is in the window of sequence numbers, then with the Serial No. center, according to preset window
Mouthful size, updates the corresponding window of sequence numbers of the Service Ticket of preservation, and record the sequence number, more new record it is described
The corresponding sequence number accessed of Service Ticket.
Preferably, further comprising:
If it is determined that the Service Ticket not within the preset validity period, then removes the Service Ticket, the institute of preservation
State the corresponding window of sequence numbers of Service Ticket, and the corresponding sequence number accessed of the Service Ticket of record.
Preferably, further comprising:
According to preset anti-tamper method of calibration, determine that the service request verification passes through.
A kind of anti-replay-attack device, comprising:
First receiving unit, for receiving the service request of client transmission, wherein included at least in the service request
The Service Ticket and sequence number of the client carry when the Serial No. client is according to last transmission service request
What sequence number and default incremental steps obtained;
First judging unit, for according to preset validity period, judging whether the Service Ticket preset has described
In the effect phase, if then determining that the Service Ticket is effective;
Second judgment unit judges the sequence for the corresponding window of sequence numbers of the Service Ticket according to preservation
Number whether in the window of sequence numbers, and according to the corresponding sequence number accessed of the Service Ticket of record, judgement
Whether the sequence number is not recorded, if being to be, it is determined that the sequence number is legal, and determining the service request not is weight
Put request.
Preferably, further comprising:
Second receiving unit, for receiving the logging request of client transmission;
Transmission unit, after determining that the proof of identity of the client passes through, Xiang Suoshu client return authentication voucher
With sequence number initial value;
Updating unit is saved, is used for according to preset window size and the sequence number initial value, at the beginning of the sequence number
Centered on initial value, according to the preset window size, formation sequence window, and by the sequence in the window of sequence numbers
Number as the corresponding sequence number of the Service Ticket, and save the Service Ticket and the corresponding sequence number window of the Service Ticket
Mouthful.
It is further used for preferably, saving updating unit:
If it is determined that the sequence number is in the window of sequence numbers, then with the Serial No. center, according to preset window
Mouthful size, updates the corresponding window of sequence numbers of the Service Ticket of preservation, and record the sequence number, more new record it is described
The corresponding sequence number accessed of Service Ticket.
Preferably, further comprising:
Clearing cell, for if it is determined that the Service Ticket then removes the institute of preservation not within the preset validity period
State Service Ticket, the corresponding window of sequence numbers of the Service Ticket, and the Service Ticket of record corresponding has accessed
Sequence number.
Preferably, further comprising:
Third judging unit, for determining that the service request verification passes through according to preset anti-tamper method of calibration.
A kind of computer equipment, comprising:
At least one processor, for storing computer program;
At least one processor is realized in the embodiment of the present invention when for executing the computer program stored in memory
The step of anti-replay-attack method.
A kind of computer readable storage medium, is stored thereon with computer program, and the computer program is held by processor
The step of anti-replay-attack method in the embodiment of the present invention is realized when row.
In the embodiment of the present invention, the service request that client is sent is received, wherein institute is included at least in the service request
State the Service Ticket and sequence number of client, the sequence carried when the Serial No. client is according to last transmission service request
What row number and default incremental steps obtained;According to preset validity period, judge whether the Service Ticket preset has described
In the effect phase, if then determining that the Service Ticket is effective;According to the corresponding window of sequence numbers of the Service Ticket of preservation, judgement
Whether the sequence number is in the window of sequence numbers, and according to the corresponding sequence accessed of the Service Ticket of record
Number, judge whether the sequence number is not recorded, if being to be, it is determined that the sequence number is legal, and determines that the business is asked
Asking is not playback request, in this way, client carries Service Ticket and incremental sequence number when sending service request, is not needed every time
It is all first interacted with server and obtains random number, reduced the interaction times with server, improve efficiency and system performance, authenticated
Voucher inteerelated order row number is saved, and validity period is arranged, and can effectively control information storage, and not only saves one
Sequence number, can be to avoid the case where erroneous judgement by accident and server end only needs to be arranged by window of sequence numbers in the case of concurrent request
The validity period of Service Ticket is also not necessary to guaranty that the time synchronization of server and client side, reduces complexity.
Detailed description of the invention
Fig. 1 is the general introduction flow chart of anti-replay-attack method in the embodiment of the present invention;
Fig. 2 is anti-replay-attack method detail flowchart in the embodiment of the present invention;
Fig. 3 is anti-replay-attack apparatus structure schematic diagram in the embodiment of the present invention;
Fig. 4 is server architecture schematic diagram in the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, is not whole embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
As shown in fig.1, anti-replay-attack method provided in an embodiment of the present invention, specifically includes the following steps:
Step 100: receiving the service request that client is sent, wherein the client is included at least in the service request
The Service Ticket and sequence number at end, the Serial No. client according to it is last send service request when the sequence number that carries and
What default incremental steps obtained.
In practice, such as the login authentication based on oauth2.0, client and when server communication, client is first to service
Device request logs in, and after verification client identity passes through, client can send service request to server, executes corresponding industry
Business.
In the embodiment of the present invention, when executing step 100, user end to server sends service request, needs in service request
The Service Ticket got when login authentication and incremental sequence number are carried, server is discriminated whether with this as Replay Attack.
Wherein, it when the initial value of sequence number and Service Ticket are that server receives the logging request of client, returns to
Client, so that client sends service request based on the initial value of the Service Ticket and sequence number.
Before executing step 100, further comprise:
Firstly, receiving the logging request that client is sent.
Then, it is determined that after the proof of identity of the client passes through, Xiang Suoshu client return authentication voucher and sequence number
Initial value, and according to preset window size and the sequence number initial value, centered on the sequence number initial value, according to institute
State preset window size, formation sequence window, and using the sequence number in the window of sequence numbers as the certification with
Corresponding sequence number is demonstrate,proved, and saves the Service Ticket and the corresponding window of sequence numbers of the Service Ticket.
For example, receiving the logging request that client is sent, after verification client identity passes through, the Service Ticket of return is
A, sequence number initial value are 100, and preset window size is 11, then centered on 100, window size is 11 obtained sequence numbers
Window is [95,105], and server is stored with Service Ticket inteerelated order row number window, saves the corresponding sequence of Service Ticket A
Number window is [95,105].
Pass through wherein it is determined that whether the identity of client verifies, the username and password that can be logged according to client, with
The username and password pre-saved is compared, if judgement is consistent, it is determined that the identity of client is upchecked.
In the embodiment of the present invention, window of sequence numbers is stored, rather than stores a sequence number only to judge that client is sent out
Whether the sequence number sent is legal, in this way, being may have the business for carrying larger sequence number to ask in the case of concurrent request in order to prevent
The generation that the service request asked and first reach server, and carry smaller sequence number after causing is taken as playback request to be dropped,
The case where certain window size is set, too many information will not be both stored, is also possible to prevent erroneous judgement.
For example, the corresponding window of sequence numbers of Service Ticket A is [95,105], carried in the service request that client is sent
Serial No. 103 then allows to access, while recording 103 and being adjusted to [98,108] for access sequence number, window of sequence numbers, and
The sequence number accessed being only retained in window of sequence numbers adjusted, client is sent again later carries Serial No.
101 service request, although 101 less than 103,101 still in [98,108] range, server is also allowed for accessing and be recorded
The sequence number.
Further, in the embodiment of the present invention, the validity period of setting Service Ticket is also needed, such as validity period is 2 hours, root
According to the validity period of Service Ticket, however, it is determined that the Service Ticket within the preset validity period, does not then remove the described of preservation
Service Ticket, the corresponding window of sequence numbers of the Service Ticket, and the corresponding sequence accessed of the Service Ticket of record
Row number.
In this way, being stored with Service Ticket inteerelated order row number window, and validity period is set, when be more than validity period after can
To remove the information saved, information storage can be effectively controlled.
Also, in the embodiment of the present invention, user end to server sends logging request, and server determines client identity school
It tests by rear, generate Service Ticket and sequence number initial value and is sent to client, and then carry out service request after client
When, the Service Ticket and incremental sequence number are carried, so that server judges whether the service request is anti-replay-attack, is only existed
Service Ticket and sequence number initial value are obtained when logging request, are carried out direct use when service request later, are not needed again
First to server requesting authentication voucher and sequence number, so also there is no need to carry out service request every time when, all with server into
Row interacts twice or repeatedly, reduces the interaction times between client and server, improves efficiency and system performance.
Step 110: according to preset validity period, judge the Service Ticket whether within the preset validity period, if
It is that then the determining Service Ticket is effective.
For example, preset validity period is 1h, when server receives the logging request of client, the Service Ticket of return
Time is 10:00:00, and client carries the Service Ticket and sends service request to server later, and server receives business and asks
The time asked is 10:30:00, then may determine that Service Ticket before the deadline, Service Ticket is effective.
Further, however, it is determined that Service Ticket is expired, then server needs client to log in again, receives client again
When the logging request at end, a Service Ticket and sequence number initial value are regenerated, by newly-generated Service Ticket and sequence number
Initial value is sent to client, refreshes the Service Ticket and sequence number initial value of the client.
Before executing step 110, further comprise:
According to preset anti-tamper method of calibration, determine that the service request verification passes through.
In the embodiment of the present invention, server and client appoint anti-tamper method of calibration in advance, for example, Parameter Dictionary is arranged
Sequence method, public key encryption method etc., to this and are not limited, in order to the parameter in service request encrypted,
The parameter in service request is prevented to be tampered, to ensure safety property, after preventing the intercepted crawl of service request, in service request
Service Ticket and sequence number are cracked and then carry out playback request spoofing server.
In this way, server judges that service request is first according to preset anti-tamper method of calibration after receiving service request
It is no to be tampered, after determining that verification passes through, it can obtain Service Ticket and sequence number therein, and then according to Service Ticket and sequence
Row number judges whether it is playback request.
Step 120: according to the corresponding window of sequence numbers of the Service Ticket of preservation, judging the sequence number whether in institute
It states in window of sequence numbers, and according to the corresponding sequence number accessed of the Service Ticket of record, judges the sequence number
Whether it is not recorded, if being to be, it is determined that the sequence number is legal, and determines that the service request is not playback request.
Further, however, it is determined that the sequence number is in the window of sequence numbers, then with the Serial No. center, according to
Preset window size, updates the corresponding window of sequence numbers of the Service Ticket of preservation, and records the sequence number, updates note
The corresponding sequence number accessed of the Service Ticket of record.
In this way, in the embodiment of the present invention, after determining service request not and being playback request, so that it may continue with corresponding industry
Business logic, however, it is determined that be playback request, then can abandon the service request.
That is, judging whether sequence number is legal in the embodiment of the present invention, according to two conditions, one is according to guarantor
The window of sequence numbers deposited, another is according to the sequence number recorded.Wherein, the window of sequence numbers of preservation is according at the beginning of sequence number
Initial value, window size and last time judge what legal sequence number was constantly updated, and the Serial No. record recorded is sentenced
Break legal sequence number, that is, the sequence number accessed.
For example, the window of sequence numbers that server saves is [95,105], and do not record access sequence number also, then
Only in the range and Unrecorded sequence number just allows to access, i.e., just judge that the service request is not playback request.For example,
The Serial No. 104,104 carried in the service request that client is sent then allows to access, record simultaneously in [95,105]
104 are adjusted to [99,109] for access sequence number, window of sequence numbers, and are only retained in window of sequence numbers adjusted
The sequence number of access, client sends the service request for carrying Serial No. 101 again later, and server also allows for access simultaneously
The sequence number is recorded, but when client sends the service request of 101 or 104 sequence numbers of carrying again, because in window of sequence numbers
In range, there are 101 and 104 in the sequence number of record accessed, therefore, server can consider that the service request is to reset to ask
It asks.
In the embodiment of the present invention, Service Ticket and incremental sequence number, service are carried in the service request that client is sent
Device judges whether Service Ticket is effective according to preset validity period, and according to the corresponding sequence number window of the Service Ticket of preservation
Mouthful, whether legal the sequence number is judged, and then judge whether the service request is playback request, in this way, client need to only step on
Obtaining a sequence number initial value when record all only need to be according to default incremental steps, in business when sending multiple service request later
Incremental sequence number is carried in request can meet the anti-replay-attack method of server, and client does not need to carry out industry every time
It is all first interacted with server when business request and obtains a random number, that is, do not needed in similar challenge-response method in the prior art
Progress interacts twice or repeatedly, improves system performance.
Also, in the embodiment of the present invention, Service Ticket inteerelated order row number is saved, and validity period is arranged, can be effective
Information storage is controlled, a sequence number is not only saved, is according to preset window size, preservation is window of sequence numbers, should
It is legal that sequence number within the scope of window of sequence numbers is construed as, and can prevent the feelings judged by accident in the case of concurrent request in this way
Condition, and server end only needs to be arranged the validity period of Service Ticket in the embodiment of the present invention, be also not necessary to guaranty that server and
The time synchronization of client, reduces complexity.
Further description is made to above-described embodiment using a specific application scenarios below.Referring particularly to Fig. 2
Shown, in the embodiment of the present invention, the implementation procedure of anti-replay-attack method is specific as follows:
Step 200: receiving the service request that client is sent.
Client gets the Service Ticket and sequence number initial value of server return when sending logging request.It is objective later
Family end carries upper Service Ticket and sequence number when sending service request, and the Serial No. in service request is incremented by according to default
What step-length was constantly incremented by, it does not need each service request and first interacts acquisition random number with server, reduce interaction times, promotion is
System performance.
For example, the Serial No. 100 carried when last transmission service request, prediction incremental steps are 1, then this sends
The Serial No. 101 carried when service request.
Step 201: judging whether anti-tamper verification passes through, if so, thening follow the steps 203, otherwise, then follow the steps 202.
Specifically, judging whether service request verifies according to preset anti-tamper method of calibration and passing through, in order to anti-
Only the parameter in service request is tampered, also for further preventing Replay Attack.After verification passes through, server obtains business and asks
Service Ticket and sequence number in asking.
Step 202: authentication failed.
Step 203: judging whether Service Ticket is effective in service request, if so, thening follow the steps 205, otherwise, then execute
Step 204.
Specifically: according to preset validity period, judging Service Ticket whether within preset validity period.
Step 204: Service Ticket is invalid.
Further, however, it is determined that Service Ticket is invalid, can remove the Service Ticket, associated window of sequence numbers, with
And the corresponding sequence number accessed of Service Ticket, reduce information storage.
Step 205: judging whether sequence number is legal in service request, if so, thening follow the steps 207, otherwise, then execute step
Rapid 206.
Specifically: according to the corresponding window of sequence numbers of the Service Ticket of preservation, judging sequence number whether in window of sequence numbers
It is interior, and according to the corresponding sequence number accessed of Service Ticket of record, judge whether sequence number is not recorded, if being
It is then to be judged as legal, otherwise, is judged as illegal.
Step 206: determining that service request is playback request.
Step 207: determining that service request is not playback request, and record the sequence number in the service request, and update
The corresponding window of sequence numbers of the Service Ticket saved.
Step 208: processing business logic.
Based on the above embodiment, as shown in fig.3, in the embodiment of the present invention, anti-replay-attack device is specifically included:
First receiving unit 30, for receiving the service request of client transmission, wherein at least wrapped in the service request
The Service Ticket and sequence number of the client are included, the Serial No. client carries when sending service request according to the last time
Sequence number and default incremental steps obtain;
First judging unit 31, for judging the Service Ticket whether described preset according to preset validity period
In validity period, if then determining that the Service Ticket is effective;
Second judgment unit 32 judges the sequence for the corresponding window of sequence numbers of the Service Ticket according to preservation
Whether row number is sentenced in the window of sequence numbers, and according to the corresponding sequence number accessed of the Service Ticket of record
Whether the sequence number that breaks is not recorded, if being to be, it is determined that the sequence number is legal, and determines that the service request is not
Playback request.
Preferably, further comprising:
Second receiving unit 33, for receiving the logging request of client transmission;
Transmission unit 34, after determining that the proof of identity of the client passes through, Xiang Suoshu client return authentication with
Card and sequence number initial value;
Updating unit 35 is saved, is used for according to preset window size and the sequence number initial value, with the sequence number
Centered on initial value, according to the preset window size, formation sequence window, and by the sequence in the window of sequence numbers
Row number saves the Service Ticket and the corresponding sequence number of the Service Ticket as the corresponding sequence number of the Service Ticket
Window.
It is further used for preferably, saving updating unit 35:
If it is determined that the sequence number is in the window of sequence numbers, then with the Serial No. center, according to preset window
Mouthful size, updates the corresponding window of sequence numbers of the Service Ticket of preservation, and record the sequence number, more new record it is described
The corresponding sequence number accessed of Service Ticket.
Preferably, further comprising:
Clearing cell 36, for if it is determined that the Service Ticket then removes preservation not within the preset validity period
The Service Ticket, the corresponding window of sequence numbers of the Service Ticket, and the Service Ticket of record corresponding have accessed
Sequence number.
Preferably, further comprising:
Third judging unit 37, for determining that the service request verification passes through according to preset anti-tamper method of calibration.
As shown in fig.4, in the embodiment of the present invention, a kind of server architecture schematic diagram.
The embodiment of the invention provides a kind of server, which may include 410 (Center of processor
Processing Unit, CPU), memory 420, input equipment 430 and output equipment 440 etc., input equipment 430 may include
Keyboard, mouse, touch screen etc., output equipment 440 may include display equipment, such as liquid crystal display (Liquid Crystal
Display, LCD), cathode-ray tube (Cathode Ray Tube, CRT) etc..
Memory 420 may include read-only memory (ROM) and random access memory (RAM), and mention to processor 410
For the program instruction and data stored in memory 420.In embodiments of the present invention, memory 420 can be used for storing above-mentioned
The program of anti-replay-attack method.
Processor 410 is by the program instruction for calling memory 420 to store, and processor 410 is for the program according to acquisition
Instruction execution:
Receive the service request that client is sent, wherein the certification of the client is included at least in the service request
Voucher and sequence number, the sequence number carried when the Serial No. client is according to last transmission service request are incremented by with default
What step-length obtained;
According to preset validity period, the Service Ticket is judged whether within the preset validity period, if then determining
The Service Ticket is effective;
According to the corresponding window of sequence numbers of the Service Ticket of preservation, judge the sequence number whether in the sequence number
In window, and according to the corresponding sequence number accessed of the Service Ticket of record, judge the sequence number whether not by
Record, if being to be, it is determined that the sequence number is legal, and determines that the service request is not playback request.
Preferably, processor 410 is further used for:
Receive the logging request that client is sent;
After determining that the proof of identity of the client passes through, Xiang Suoshu client return authentication voucher and sequence number are initial
Value, and according to preset window size and the sequence number initial value, centered on the sequence number initial value, according to described pre-
If window size, formation sequence window, and using the sequence number in the window of sequence numbers as the Service Ticket pair
The sequence number answered, and save the Service Ticket and the corresponding window of sequence numbers of the Service Ticket.
Preferably, processor 410 is further used for:
If it is determined that the sequence number is in the window of sequence numbers, then with the Serial No. center, according to preset window
Mouthful size, updates the corresponding window of sequence numbers of the Service Ticket of preservation, and record the sequence number, more new record it is described
The corresponding sequence number accessed of Service Ticket.
Preferably, processor 410 is further used for:
If it is determined that the Service Ticket not within the preset validity period, then removes the Service Ticket, the institute of preservation
State the corresponding window of sequence numbers of Service Ticket, and the corresponding sequence number accessed of the Service Ticket of record.
Preferably, processor 410 is further used for:
According to preset anti-tamper method of calibration, determine that the service request verification passes through.
Based on the above embodiment, in the embodiment of the present invention, a kind of computer readable storage medium is provided, is stored thereon with
Computer program, the computer program realize the anti-replay-attack side in above-mentioned any means embodiment when being executed by processor
Method.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, those skilled in the art can carry out various modification and variations without departing from this hair to the embodiment of the present invention
The spirit and scope of bright embodiment.In this way, if these modifications and variations of the embodiment of the present invention belong to the claims in the present invention
And its within the scope of equivalent technologies, then the present invention is also intended to include these modifications and variations.
Claims (12)
1. a kind of anti-replay-attack method characterized by comprising
Receive the service request that client is sent, wherein the Service Ticket of the client is included at least in the service request
And sequence number, the sequence number carried when the Serial No. client is according to last transmission service request and default incremental steps
It obtains;
According to preset validity period, the Service Ticket is judged whether within the preset validity period, if described in then determining
Service Ticket is effective;
According to the corresponding window of sequence numbers of the Service Ticket of preservation, judge the sequence number whether in the window of sequence numbers
It is interior, and according to the corresponding sequence number accessed of the Service Ticket of record, judge whether the sequence number is not recorded,
If being to be, it is determined that the sequence number is legal, and determines that the service request is not playback request.
2. the method as described in claim 1, which is characterized in that further comprise:
Receive the logging request that client is sent;
After determining that the proof of identity of the client passes through, Xiang Suoshu client return authentication voucher and sequence number initial value, and
According to preset window size and the sequence number initial value, centered on the sequence number initial value, according to described preset
Window size, formation sequence window, and the sequence number in the window of sequence numbers is corresponding as the Service Ticket
Sequence number, and save the Service Ticket and the corresponding window of sequence numbers of the Service Ticket.
3. the method as described in claim 1, which is characterized in that further comprise:
If it is determined that the sequence number is in the window of sequence numbers, then it is big according to preset window with the Serial No. center
It is small, the corresponding window of sequence numbers of the Service Ticket of preservation is updated, and record the sequence number, the certification of more new record
The corresponding sequence number accessed of voucher.
4. the method as described in claim 1, which is characterized in that further comprise:
If it is determined that the Service Ticket not within the preset validity period, is then removed the Service Ticket of preservation, described is recognized
Demonstrate,prove the corresponding window of sequence numbers of voucher, and the corresponding sequence number accessed of the Service Ticket of record.
5. method according to any of claims 1-4, which is characterized in that further comprise:
According to preset anti-tamper method of calibration, determine that the service request verification passes through.
6. a kind of anti-replay-attack device characterized by comprising
First receiving unit, for receiving the service request of client transmission, wherein included at least in the service request described
The Service Ticket and sequence number of client, the sequence carried when the Serial No. client is according to last transmission service request
Number and default incremental steps obtain;
First judging unit, for judging the Service Ticket whether in the preset validity period according to preset validity period
It is interior, if then determining that the Service Ticket is effective;
Second judgment unit judges that the sequence number is for the corresponding window of sequence numbers of the Service Ticket according to preservation
It is no in the window of sequence numbers, and according to the corresponding sequence number accessed of the Service Ticket of record, described in judgement
Whether sequence number is not recorded, if being to be, it is determined that the sequence number is legal, and determining the service request not is to reset to ask
It asks.
7. device as claimed in claim 6, which is characterized in that further comprise:
Second receiving unit, for receiving the logging request of client transmission;
Transmission unit, after determining that the proof of identity of the client passes through, Xiang Suoshu client return authentication voucher and sequence
Row number initial value;
Updating unit is saved, is used for according to preset window size and the sequence number initial value, with the sequence number initial value
Centered on, according to the preset window size, formation sequence window, and the sequence number in the window of sequence numbers is made
For the corresponding sequence number of the Service Ticket, and save the Service Ticket and the corresponding window of sequence numbers of the Service Ticket.
8. device as claimed in claim 6, which is characterized in that save updating unit and be further used for:
If it is determined that the sequence number is in the window of sequence numbers, then it is big according to preset window with the Serial No. center
It is small, the corresponding window of sequence numbers of the Service Ticket of preservation is updated, and record the sequence number, the certification of more new record
The corresponding sequence number accessed of voucher.
9. device as claimed in claim 6, which is characterized in that further comprise:
Clearing cell is used for if it is determined that the Service Ticket not within the preset validity period, then removes the described of preservation recognizes
Demonstrate,prove voucher, the corresponding window of sequence numbers of the Service Ticket, and the corresponding sequence accessed of the Service Ticket of record
Number.
10. device as claim in any one of claims 6-9, which is characterized in that further comprise:
Third judging unit, for determining that the service request verification passes through according to preset anti-tamper method of calibration.
11. a kind of computer equipment characterized by comprising
At least one processor, for storing computer program;
At least one processor is realized when for executing the computer program stored in memory as any in claim 1-5
The step of one the method.
12. a kind of computer readable storage medium, is stored thereon with computer program, it is characterised in that: the computer program
It is realized when being executed by processor such as the step of any one of claim 1-5 the method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711079676.4A CN109756460B (en) | 2017-11-06 | 2017-11-06 | Replay attack prevention method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711079676.4A CN109756460B (en) | 2017-11-06 | 2017-11-06 | Replay attack prevention method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109756460A true CN109756460A (en) | 2019-05-14 |
| CN109756460B CN109756460B (en) | 2021-07-09 |
Family
ID=66400334
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711079676.4A Active CN109756460B (en) | 2017-11-06 | 2017-11-06 | Replay attack prevention method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109756460B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111200599A (en) * | 2019-12-28 | 2020-05-26 | 浪潮电子信息产业股份有限公司 | Access authentication method, device, equipment and readable storage medium |
| CN112291270A (en) * | 2020-12-08 | 2021-01-29 | 北京和利时系统工程有限公司 | Data transmission method and device |
| CN113132338A (en) * | 2020-01-15 | 2021-07-16 | 中国移动通信有限公司研究院 | Authentication processing method, device and equipment |
| CN113726796A (en) * | 2021-08-31 | 2021-11-30 | 平安国际智慧城市科技股份有限公司 | Data interaction method, device, equipment and medium based on medical Internet of things |
| WO2022067627A1 (en) * | 2020-09-30 | 2022-04-07 | Zte Corporation | A method for preventing leakage of authentication sequence number of a mobile terminal |
| WO2022242523A1 (en) * | 2021-05-16 | 2022-11-24 | 武汉领普科技有限公司 | Self-powered switch and processing method therefor, and receiver and processing method therefor |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104038505A (en) * | 2014-06-24 | 2014-09-10 | 杭州华三通信技术有限公司 | Method and device for preventing IPSec (internet protocol security) replaying |
| US20150326539A1 (en) * | 2014-03-31 | 2015-11-12 | EXILANT Technologies Private Limited | Increased communication security |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681470B (en) * | 2012-03-29 | 2018-12-28 | 北京奇虎科技有限公司 | Communication means, server based on hypertext transfer protocol, terminal |
| CN102739659B (en) * | 2012-06-16 | 2015-07-08 | 华南师范大学 | Authentication method for preventing replay attack |
| CN104092697B (en) * | 2014-07-18 | 2017-09-15 | 新华三技术有限公司 | A kind of time-based anti-replay method and device |
| CN106713305B (en) * | 2016-12-20 | 2019-12-03 | 浪潮通用软件有限公司 | It is a kind of that Replay Attack method is prevented based on the configuration of functional level time-out |
-
2017
- 2017-11-06 CN CN201711079676.4A patent/CN109756460B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150326539A1 (en) * | 2014-03-31 | 2015-11-12 | EXILANT Technologies Private Limited | Increased communication security |
| CN104038505A (en) * | 2014-06-24 | 2014-09-10 | 杭州华三通信技术有限公司 | Method and device for preventing IPSec (internet protocol security) replaying |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111200599A (en) * | 2019-12-28 | 2020-05-26 | 浪潮电子信息产业股份有限公司 | Access authentication method, device, equipment and readable storage medium |
| CN113132338A (en) * | 2020-01-15 | 2021-07-16 | 中国移动通信有限公司研究院 | Authentication processing method, device and equipment |
| WO2022067627A1 (en) * | 2020-09-30 | 2022-04-07 | Zte Corporation | A method for preventing leakage of authentication sequence number of a mobile terminal |
| CN112291270A (en) * | 2020-12-08 | 2021-01-29 | 北京和利时系统工程有限公司 | Data transmission method and device |
| WO2022242523A1 (en) * | 2021-05-16 | 2022-11-24 | 武汉领普科技有限公司 | Self-powered switch and processing method therefor, and receiver and processing method therefor |
| CN113726796A (en) * | 2021-08-31 | 2021-11-30 | 平安国际智慧城市科技股份有限公司 | Data interaction method, device, equipment and medium based on medical Internet of things |
| CN113726796B (en) * | 2021-08-31 | 2023-10-27 | 深圳平安智慧医健科技有限公司 | Data interaction method, device, equipment and medium based on medical internet of things |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109756460B (en) | 2021-07-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109756460A (en) | A kind of anti-replay-attack method and device | |
| EP3481029B1 (en) | Internet defense method and authentication server | |
| US9807092B1 (en) | Systems and methods for classification of internet devices as hostile or benign | |
| CN104348614B (en) | The method, apparatus and server of identity legitimacy verifying | |
| CN105491054B (en) | Judgment method, hold-up interception method and the device of malicious access | |
| CN107211016B (en) | Session security partitioning and application profiler | |
| CN109712278A (en) | Intelligent door lock identity identifying method, system, readable storage medium storing program for executing and mobile terminal | |
| CN109522726A (en) | Method for authenticating, server and the computer readable storage medium of small routine | |
| CN106339613B (en) | A kind of processing method, terminal and server using data | |
| CN104869102B (en) | Authorization method, device and system based on xAuth agreement | |
| CN107770140A (en) | A kind of single sign-on authentication method and device | |
| Van Goethem et al. | Timeless timing attacks: Exploiting concurrency to leak secrets over remote connections | |
| CN106713276B (en) | A kind of data capture method and its system based on authorization identifying | |
| US20170289159A1 (en) | Security support for free wi-fi and sponsored connectivity for paid wi-fi | |
| CN109861968A (en) | Resource access control method, device, computer equipment and storage medium | |
| US10560364B1 (en) | Detecting network anomalies using node scoring | |
| CN108696356A (en) | A kind of digital certificate delet method, apparatus and system based on block chain | |
| US20220200999A1 (en) | Authentication Using Device and User Identity | |
| CN107862198A (en) | One kind accesses verification method, system and client | |
| US10122755B2 (en) | Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node | |
| CN103178969A (en) | Service authentication method and system | |
| CN115242546A (en) | Industrial control system access control method based on zero trust architecture | |
| CN106209905A (en) | A kind of network safety managing method and device | |
| Alshomrani et al. | PUFDCA: A Zero‐Trust‐Based IoT Device Continuous Authentication Protocol | |
| CN112118572B (en) | Data safety transmission system and method based on 5G communication in industrial network scene |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |